Windows Tool Set User Manual
Contents
1. HPP Hee HPP PPP RRR ROR ORO OO OR HH 4 locall keyword keyword local2 keyword keyword debug keyword keyword critical keyword keyword The above list can be repeated multiple times to specify various streamling log files match patterns and severities A maximum of 10 different log files can be specified each with a virtually unlimited number of UseFacility and UseSeverity combinations LogFile LogName Encoding MaxSizeChange DefaultFacility DefaultSeverity UseFacility MatchKeyWord MatchKeyWord UseFacility MatchKeyWord MatchKeyWord UseSeverity MatchKeyWord MatchKeyWord UseSeverity MatchKeyWord MatchKeyWord HPP Hee HPP RP PR ROR ROR ROO OR OR HH 4 END OF FILE program files file2 log FILE1 Default 10000 user disabled local1 keyword keyword local2 keyword keyword debug keyword keyword critical keyword keyword CorreLog WTS Page 77 CorreLog WTS Page 78 Appendix B Facilities And Severities This section provides a reference guide explaining the Syslog Facility and Severity codes used with the sendlog exe program and within the CO sysmsg cnf configuration file Information on the Syslog protocol as well as more information on the various facilities and severities can be found in the CorreLog Server Users manual The information provided in this appendix is briefer suitable as a quick reference CorreLog WTS Page 79 Syslog Faci2. directives can be configured UseSeverity This directive is similar to the UseFacility directive above but affects the message severity instead of the facility code This directive starts a series of match patterns any of which will cause the UseSeverity value to be specified as the message severity The value must specify a severity name or an official facility number between 0 and 7 or the special disabled severity or a 1 value which identifies the severity to use if any of the match patterns that follow are satisfied This directive is not meaningful unless immediately followed by one or more MatchKeyWord directives described below Multiple UseSeverity directives each followed by multiple MatchKeyWord directives can be configured MatchKeyWord This directive is nested within a UseFacility or UseSeverity directive and specifies a single match keyword with possible or wildcards If the message content contains the match pattern then the related severity or facility is used Multiple patterns can be specified without limit The MatchKeyWord list is ended by any other directive so the CorreLog WTS Page 29 MatchKeyWord directives must all be contiguous within a single UseFacility or UseSeverity block Monitoring Application And Service Event Logs On Windows 2008 and Windows 2012 systems in addition to the standard event logs
3. 24 Addresses 39 Admin 66 67 68 Administrative 10 48 49 68 Administrator 8 10 48 Agent 5 6 26 57 58 59 64 Alert 79 81 85 Alerts 68 Alphabetical Index 87 Alternate 26 50 Apache 33 38 Application 16 28 73 84 Arguments 16 18 Ascii 33 Assigned 84 85 Attempts 43 Audit 30 68 79 Auth 42 43 72 79 Authentication 42 56 Automatic 57 CorreLog WTS Page 89 Automatic Deployment 57 Automating 57 AuxAddress 1 72 Auxaddress 26 31 39 72 Auxiliary 26 B Basic 10 48 49 Basic Installation Steps 10 Big5 34 Bufferdata 53 55 Bufferdelaysecs 53 55 Buffering 55 Build 63 Cc CO sysmsg Config File 23 CO tsend Tunnel Sender 47 Careful 53 Caution 64 Changed 38 Checkout 12 Checkout Installation 12 Cisco 80 Click 48 63 Clicking 44 Client 49 50 Clock 79 Co installexe 12 16 17 Co svcexe 67 Co syslogexe 48 Co sysmg 67 Co sysmgcnf 66 Co sysmgexe 17 21 Co sysmsg 16 17 23 25 39 67 72 Co sysmsgcnf 16 22 23 24 41 43 45 61 62 63 68 69 71 Co sysmsglog 16 23 27 66 Co systrapcnf 53 Co trecvenf 48 49 51 53 54 Co trecvexe 21 47 48 51 52 53 54 55 56 69 Co trecvlog 54 56 69 Co tsend 47 50 Co tsendenf 49 50 51 53 56 69 Co tsendexe 21 22 47 49 50 51 52 53 54 55 56 69 CorreLog WTS Page 90 Co tsendlog 50 51 52 56 69 Codes 78 81 Command 16 18 19 59 Config 23 43 44 Config CO sysm
4. CorreLog WTS Page 17 Note that the CO sysmsg exe program MUST be executed with at least one command line argument One of the above command line arguments is required for interactive usage If the program is executed with no arguments the program will either hang or will exit with no message This is the mode of operation used by the Windows Service Manager The Sendlog exe Program The Sendlog exe program normally residing in the CorreLog wintools directory is a simple but powerful utility that allows a user to send an arbitrary Syslog message of arbitrary severity and facility to a Syslog host The program does not require the execution of the CorreLog Syslog Message Server or any other DLL or program on the Windows platform It is completely stand alone and can be copied or moved to any location on any system The command can be used at a command prompt in a windows batch file and can also be launched from other scripting languages such as Perl PHP Ruby VB and many others Sendlog exe Command Line Arguments The Sendlog exe program requires three four or five arguments The operator can execute the command with no arguments to display brief help on program usage The basic syntax of the command is as follows Sendlog destname message sevnum facilnum Each argument is explained as follows destname The first argument is required and is the hostname or IP address of the device that is running the Sy
5. LogFile directive In this special case a list of files matching the wildcard is gathered and the file within that list which was most recently updated on the system is used as the operant file This provides a mechanism for monitoring log files that do not follow an easy naming convention such as files that have numeric prefix or suffix values For example consider the case of a system of log files where a monotonically increasing integer number is added as a suffix to each file as it is created This might occur if the size of each file was self limiting so that when a file reaches a CorreLog WTS Page 38 certain size it is closed and a new file is started In this case the LogFile directive might be something such as Z logs Logfile_ log which would match the most recently updated log file in the logs target directory that begins with the prefix Logfile and ends with the suffix log Using Log Name Wildcards can be CPU intensive if the number of files in the match list is high In particular the wildcard should match a short list of files such as only a dozen files or so and the directory containing these files should not contain large numbers of files Such as only a hundred files or so Otherwise performance of the system may be significantly degraded Generally the user will not experience any problem if a log name wildcard is used reasonably Note that if the site is using CorreLog Server to manage the l
6. directive The minimum value for this is 100 msecs regardless of what minimum value the user has configured Therefore the most messages that can be sent by the CO sysmsg exe program are 10 messages per second You are probably in a situation where a flood of messages is being entered into the Windows event log and the CO sysmsg exe program is pacing itself to report all of these messages Note that this many event messages are anomalous Fix the problem at the root cause by reducing the number of event messages being generated The CorreLog tunneling software is not working There are various configuration issues that can occur with the CorreLog tunneling utilities ranging from firewall issues to mismatched encryption keys Check the Troubleshooting information found in this manual In particular you can set the LogLocal configuration directive in the CO tsend cnf and CO trecv cnf file to True and restart these two processes This will log all the connections and transfers of these two programs from the CO tsend exe to the CO trecv exe programs so you can easily find the communication failure point by examining the CO tsend log and CO trecv log files CorreLog WTS Page 71 CorreLog WTS Page 72 Appendix A The CO sysmsg cnf File This appendix provides an example of the CO sysmsg cnf file which is the central configuration file used by the CorreLog Syslog Message Service An administrator or system developer can edit th
7. C CorreLog wintools CO sysmsg cnf file An example of this file is found in Appendix A of this document There is no required editing of this file The installation dialog creates a version of this file that will be adequate for many and perhaps most situations However if a user wishes to fine tune the parameters of the Syslog messages or wishes to monitor streaming log files in addition to the Windows Event logs or needs to change the location of the CorreLog Syslog destination the file can be edited with a standard text editor as explained here or modified via the remote configuration functions as detailed in later sections of this manual If the configuration file changes via a manual edit the user must stop the CO sysmsg exe service and restart the service Any errors detected while reading the configuration file are logged to the CO sysmsg log file in the same directory as the CO sysmsg exe program and CO sysmsg cnf file If the configuration file is changed via a remote configuration operation no restart of the CO sysmsg exe program is required Detailed notes on this file possibly of interest to administrators or developers are provided in this section Note that the information herein is NOT REQUIRED to install and use the CO sysmsg exe program but is provided only to support more advanced applications and requirements CorreLog WTS Page 23 Configuration Items In addition to specifying the destination address
8. The CorreLog install and uninstall programs are very simple and require very little explanation This section describes the detailed steps needed to install and uninstall the system as well as containing application notes that may be useful to system developers and managers CorreLog WTS Page 9 CorreLog WTS System Installation Requirements The CorreLog WTS programs are non invasive and can be installed on a variety of Windows platforms and operating systems An Administrator login is required to install the software Specific system requirements of the CorreLog Server are described below e Disk Space The CorreLog WTS has a small disk footprint of less than 0 5 Mbytes The program should generally NOT be installed on a network drive If possible the program should be consistently installed in its default location of C CorreLog which may assist technical support personnel e CPU Requirements The CorreLog WTS makes minimal use of CPU and can co exist with other server components and applications The actual CPU requirements will typically be much less than 1 even under heavy load e TCP Connectivity The CorreLog WTS cannot be installed on a platform that does not have TCP connectivity This will typically not be a problem but may occur in certain evaluation and test scenarios The program works with any normal network interface card e Service Ports The CorreLog WTS program requires access to the UDP 514 port of th
9. screen select start as the Directive selected via the pull down menu and enter the precise name CO trecv exe as the scheduled command Then click Create to add the entry 6 Stop and restart the CorreLog Framework Service on the main platform You may use the Windows Service Manager in the Windows Control Panel Administrative Tools or the Stop and Start Services dialog in the Windows Start menu or you can simply reboot the platform After completing the above steps optionally verify that the CO trecv exe program has correctly started on the platform using the Windows task manager Any errors during program startup will appear in the system CO trecv log file The EncryptKey value may be arbitrarily long and can include any alphanumeric characters The key may also include spaces but the spaces are automatically removed from the encryption key and are not significant No other changes to the CO trecv cnf file are needed CorreLog WTS Page 50 Basic Installation CorreLog Windows Client Platform After installing and configuring the CorreLog Server platform the following procedure can be used to configure the Windows client platform 1 Login to the Windows Client program where the WTS software is installed Note This is the client platform and not the platform that is running the CorreLog HTTP server 2 Edit the wintools CO tsend cnf file using Windows Notepad or some other text editor Edit the v
10. For example if the user is logging many security events and the security log file is set to the minimum size it is possible that an event message is actually being dropped before the CO sysmsg exe program can see it Increase the size of the log files to 1024 Kbytes which should be more than sufficient Use the Control Panel gt Admin Tools gt Event Viewer gt Properties dialog CorreLog WTS Page 68 My CO sysmsg exe program appears to be ignoring certain events Make sure that the Event Viewer program is not filtering the events Use the Control Panel gt Admin Tools gt Event Viewer gt Properties dialog and click on the Filters tab The Microsoft Event Viewer can selectively shut off certain events at the source so that they are never seen by the CO sysmsg exe program and never relayed to the Syslog server Can reduce the Microsoft Event Log sizes to their minimum size No The system requires ample buffer space in the form of non trivial event log sizes Some users may think that because the CO sysmsg exe program is in place the event logs can be made very small because the CO sysmsg exe program will relay events to the Syslog server host In practice this is partially true However the system requires around 1024 Kbytes as the maximum size of any event log or more How can I decrypt an encrypted Syslog message You can t The CorreLog encryption routine uses a secret key available only to the Cor
11. Server The CorreLog WTS is already an embedded part of the main CorreLog installation package and does not need to be installed on the same platform as the CorreLog Server The exception to this might be if the user wishes to direct the event log messages to another Syslog server By default the CO sysmsg exe program which monitors the event logs is installed as part of the base CorreLog system and directs messages to localhost i e to the locally running copy of the CorreLog Server The CorreLog WTS software contains one special feature that can be used ONLY with the CorreLog and that is the data encryption functions of the software The user can enable data encryption of Syslog messages between the CorreLog WTS and CorreLog Server for those situations that might warrant this such as sending messages across a public internet More information on the data encryption function is found in the section of this manual dealing with the Syslog Message Server Configuration file The CorreLog Windows Tool Set Fast Start The remainder of this manual will deal with the various detailed aspects of the CorreLog WTS software in detail For those users wishing a quick start the following information will get the CorreLog WTS software up and running as quickly as possible on a Windows platform permitting you to immediately begin using the program CorreLog WTS Page 7 e The CorreLog WTS is obtained as a single self extracting WinZip f
12. This can be tested and verified as described here Once the system is running the user can test the installation using the sendlog exe program which resides in the CorreLog wintools directory Brief help on how this program is used can be acquired by running the program at a Windows command prompt and typing the command sendlog help which will show the syntax of the command Send an initial Syslog message to verify the CorreLog Server is listening for messages At a command prompt on the CorreLog platform type sendlog dest First Test Message 7 1 The value of dest is the destination hostname or IP address of the platform running the Syslog receiver software or the CorreLog Server entered into the installation dialog See step 6 above This should cause a message from the platform to appear in the Syslog section of the web interface The facility will be user 1 and the severity will be debug 7 Make sure that any port blocking or Virus Protection program is not interfering with the proper operation of the CO sysmsg exe program This is a common problem but easily fixed by accessing the exclusions section of your protection software and permitting access to UDP port 514 Re installing the Software The user can re install the server by running the CorreLog wintools CO install exe program again The user does not have to uninstall and re install the program software from the WinZip f
13. a third parties sloppy uninstaller program or may indicate a problem with the registry You can filter out all of these messages via the CO sysmsg cnf file or you can investigate what software components are missing from the system This is acommon problem of older machines or machines that have migrated from older operating system versions to newer versions such as Vista These keys can be inspected via the regedit program by looking at the SYSTEM CurrentControlSet Services Eventlog portion of the Windows registry I am receiving messages that begin data followed by garbage This is due to the encryption mechanism of the CO sysmsg exe and sendlog programs You are receiving this data at some server OTHER than the CorreLog Server The data encryption works only between the CorreLog WTS and CorreLog WTS Page 70 CorreLog server Turn off the data encryption in the CO sysmsg exe program via the EncryptData directive in the CO sysmsg cnf file To turn off the encryption associated with the sendlog exe program you need to unset the SIGMA_ENCRYPT_DATA environmental variable This will take care of the problem The CorreLog server does not receive the Syslog message until several minutes after the message was generated The CO sysmsg exe program parses events in the order that they were received The program contains specific logic to prevent messages from being sent faster than the MsgDelayMsecs
14. and developers and how to troubleshoot and solve these problems The CorreLog WTS is designed to be flexible and open and cover a variety of different application areas It is common to experience problems especially when getting started The range of the typical problems experienced is quite small and can largely be addressed by the notes in this section Prior to opening a trouble ticket users may wish to review the list of issues in this section In addition to providing assistance with solving problems this section can be used to achieve greater insight into the workings of the CorreLog WTS After reviewing this section if you still have questions or issues please contact customer support or visit our website or call us directly See also the CorreLog Framework User Reference Section 8 which has a similar list of frequently asked questions and troubleshooting techniques useful when working with the CorreLog and framework components Thanks for your interest in the CorreLog Framework We are always interested in comments suggestions and construction criticism as well as discussing your particular applications CorreLog Inc 2008 2014 All Rights Reserved CorreLog WTS Page 67 I am not any receiving Syslog messages The most likely reason is that a firewall is preventing the transmission of the message to the destination host You need to open a hole in the firewall to permit UDP port 514 to be accessed at the rem
15. by the CorreLog Server to provide a more meaningful facility name based upon the message content Local1 This is another user definable facility See notes regarding the Local0 16 facility Local2 This is another user definable facility See notes regarding the Local0 16 facility Local3 This is another user definable facility See notes regarding the Local0 16 facility Local4 This is another user definable facility In particular this is commonly used by RedHat clustering software and is used by the Cisco PIX software and is used in some Perl scripts See notes regarding the Local0 16 facility for more information Local5 21 This is another user definable facility See notes regarding the Local0 16 facility Local6 22 This is another user definable facility See notes regarding the Local0 16 facility Local7 23 This is another user definable facility See notes regarding the Local0 16 facility CorreLog WTS Page 82 Syslog Severity Codes And Their Meaning The basic severities defined by RFC 3164 are discussed below Debug 7 The lowest severity reserved strictly for debugging the system In practice debug messages can be totally ignored by everyone Info These are informational messages which can be reviewed later having some pertinence but which can be operationally ignored because they have no effect on management activ
16. exe 192 168 1 1 In particular the wt silent exe program works with most remote software installation programs including the Sys Internals program psexec exe For example to remotely install the program using the psexec exe program the operator can use a batch file such as the following REM Remote installation script for agent programs REM Requires the psexec exe Sys Internals command REM See http technet microsoft com en us sysinternals bb897553 REM Parameters are as follows REM D The destination address of the CorreLog server REM R The remote directory path to receive the install REM U The administrative username for the install REM P The password for the administrative username REM T The target node to perform the remote installation on REM Modify parameters appropriately below SET D 127 0 0 1 SET R C CorreLog SET T 127 0 0 1 SET U Administrator SET P clear text password REM Perform the installation REM First create the remote directory then install the package psexec h T u U p P mkdir R psexec h T u U p P c f w R wt silent exe D The above program can be cut and pasted to a file in the s doc directory to affect a remote installation of the wt silent exe package Note that the psexec exe program used by the batch file is not a part of the CorreLog CorreLog WTS Page 60 installation but a s
17. file residing the in the same directory as the CO tsend exe program LogLocal This value is set to either True or False If the value is True then all messages sent by the CO tsend exe program are also logged in the CO tsend log file along with any error messages encountered by the program This provides a simple way to verify whether UDP messages are being dropped Note that the CO tsend log file is restarted each time the service is started hence the file does not grow without bounds If this directive is omitted it is interpreted to be False EncryptKey This value is the encryption key used to encrypt message It can contain any alphanumeric characters including spaces but all spaces are ignored The value must agree with the EncryptKey value specified in the CO trecv exe program The value of Default is the initial key configured in both CO tsend exe and CO trecv exe If the value is modified in one location it must be modified in all locations CorreLog WTS Page 54 BufferData This optional value can be used to enable data buffering If set to true then the CO tsend exe program will buffer up to 10 000 lines of data should the connection between the program and CorreLog become unavailable CorreLog will try each BufferDelaySecs seconds by default one second to resend the data This value must exist and must be set to True to enable data buffering See additional notes below
18. for the default severity for an event log When the user configures a setting of auto for the default severity of the Windows agent or the log file monitor the severity of the syslog message generated by the agent and sent to the syslog collector is automatically derived based upon the native severity of the message or by keywords in the message The exact mapping depends upon the type of log file being monitored as described in this appendix Note that the default severity of auto can be overridden by keywords configured at the agent and can also be overridden at the CorreLog manager So the severities described herein apply only to the case where no special handling of message keywords For further information on default severities and the DefaultSeverity keyword see Section 4 of this document and Appendix A CorreLog WTS Page 85 Windows Application Event Log Severities The table below provides the mapping between the Windows Application event log and syslog messages generated by the agent Windows Application Log Severity Assigned Syslog Severity Critical Critical Error Error Warning Warning Other Info Windows System Event Log Severities The table below provides the mapping between the Windows System event log and the syslog messages generated by the agent These are similar to the application log except that messages other than the standard Critical Error and Warning ca
19. neither the CO tsend exe or CO trecv exe program is installed or configured The administrator must manually install the CO tsend exe service on one or more Windows platforms and manually edit the configuration files for the program The administrator should also install the CO trecv exe program at the CorreLog server Neither of these programs is required for proper operation of the CorreLog server However if a site as special firewall routing or encryption requirements these programs can enhance the over all security of the CorreLog system Detailed notes on the CO tsend exe and CO trecv exe programs are provided in later sections of this manual including the steps needed to install and configure the program on both a client windows platform and also on the central CorreLog server The Rsmconf exe Utility The CorreLog WTS includes a utility that permits remote configuration changes of the CO sysmsg exe program This utility is found in the system rsmconf exe location of the main CorreLog Server The utility permits an administrator with authentication and security to remotely change the configuration of the CO sysmg exe program assisting in the configuration and maintenance of the program Note that the program executes only on a licensed copy of the main CorreLog server program The configuration of the CorreLog WTS is discussed in detail within the sections that follow Although it may not be necessary to ever change the defau
20. such as Security System Application The operator can add an Application Event Log to the system via the EventLog field by specifying the official name of the event log This name is available on Windows 2008 2012 and other post Vista systems using the wevtutil exe program at a command prompt as follows C gt wevtutil exe el The above command displays an enumerated list of all application logs on the system Any name can be added as an Event log specification without the Microsoft Windows prefix When entered as an EventLog specification the application log will be polled for changes approximately once every 30 seconds detecting a maximum of 100 new messages per poll cycle These EventLog strings include but are not limited to text strings such as any of the the following DriverFrameworks UserMode Operational PrintService Admin PrintService Operational SystemHealthAgent Diagnostic TaskScheduler Debug TaskScheduler Operational Windows Defender Operational Windows Firewall With Advanced Security Firewall Note that this feature requires the wevtutil library hence is not applicable on 2003 or XP or potentially other Windows OS configurations These logs MUST contain a forward slash in their name such as Admin Operational Debug Diagnostic etc A Microsoft Windows prefix can be specified with the log name but will be ignored by the agent Finally note that this can cause certain pe
21. 0 bytes is used The value may be increased to 1 Mbyte This parameter helps prevent excessive Syslog messages from being generated should a file undergo extremely rapid updates such as anew file being copied into place Each log file has its own MaxSizeChange value LogStatType This optional directive if it exists must follow the LogFile directive and must have a value of Active or Passive The default Active will cause the relevant log file monitor to actively open log files to determine their sizes whereas the Passive default setting uses the operating system to determine log file sizes The Active setting may be useful for files that are flushed to the disk only occasionally but this mode of operation is CorreLog WTS Page 35 much more intrusive and may cause unexpected crashes of the log processes If the directive is not specified log files are checked passively i e a log file is not opened unless there exists a change LogStatChange This optional directive if it exists must follow the LogFile directive and have a value of disable enable The directive indicates that the monitor agent is not to read the file but only send a Syslog message with the DefaultFacilty and DefaultSeverity should the file modification time change This is useful for monitoring file objects that are not necessarily log files The file object specified by LogFile can be a directory or any file including an executable file
22. 2 CorreLog Syslog Windows Tool Set WTS User Reference Manual http www correlog com mailto info correlog com CorreLog Syslog WTS User Reference Manual Copyright 2008 2015 CorreLog Inc All rights reserved No part of this manual shall be reproduced without written permission from the publisher No patent liability is assumed with respect to the use of the information contained herein Although every precaution has been taken in the preparation of this book the publisher and author assume no responsibilities for errors or omissions Nor is any liability assumed for damages resulting from the use of this information contained herein CorreLog WTS Page 2 Table of Contents Section 1 Introduction Section 2 CorreLog WTS Installation Section 3 CorreLog WTS Usage Section 4 CO sysmsg Config File Section 5 Remote Configuration Section 6 CO tsend Tunnel Sender Section 7 Automatic Deployment Section 8 CorreLog WTS FAQs Appendix A The CO sysmsg cnf File Appendix B Syslog Protocol Appendix C Severity Mappings Alphabetical Index CorreLog WTS Page 3 15 23 43 49 59 67 73 79 85 89 CorreLog WTS Page 4 Section 1 Introduction This document contains installation and application notes regarding the CorreLog Windows Agent and Windows Tool Set CorreLog WTS which is a compact set of software tools that instrument a Windows Vista XP or 200X operating system with Syslog capabilit
23. 6 Title 63 Tool 567 11 62 64 72 Tool CorreLog Windows Set Interoperability 7 Tools 66 67 68 Transport 79 Trap 6 Trapdestport 53 Traplistenport 51 Trouble 65 Troubleshooting 55 69 Troubleshooting Information 55 Tunnel 6 21 22 47 48 49 50 Tunnel CO tsend Sender 47 Typically 57 U Uninstall 9 13 Uninstalling 13 CorreLog WTS Page 98 Upload 44 45 Usage 15 Usage CorreLog WTS 15 Usefacility 28 29 30 35 36 37 38 72 73 74 75 User 5 54 65 73 74 78 Users 10 13 16 77 Useseverity 28 29 30 35 36 37 38 72 73 7475 Utf 8 34 Utility 6 21 45 V Version 27 28 Viewer 28 66 67 Virus 10 12 55 Visit 86 Vista 569 W Warning 30 81 84 85 Week 36 Weekday 36 Western 34 Wildcards 37 Win32 24 72 Windows CorreLog Tool Set Interoperability 7 Windows Security Event Log Severities 84 Windows System Event Log Severities 84 Winzip 8 9 11 12 60 64 Wizard 26 Wsendlogexe 20 21 Wt agentmsi 61 Wt silentexe 58 Y Year 36 CorreLog WTS Page 99 a CorreLog Inc http www CorreLog com mailto support CorreLog com Copyright 2008 2014 All rights reserved CorreLog WTS Page 100
24. BufferDelaySecs This optional value is valid only if BufferData is set to True and can be used to control the delay before any data is recent The default value is 1 second indicating that the queued messages will retry to send the data each second Careful selection of this value can improve performance if the connection is Known to be intermittent for a period of time such as 300 seconds MessagePrefix This is an optional prefix that is applied to all syslog messages sent by the tunnel sender If the directive is omitted no messages are prefixed The value can contain environmental variables or can be static text such as text reflecting the identify of the remote site The CO trecv cnf Configuration File The CO trecv cnf file resides in the same directory as the CO trecv exe program and provides the following directives ListenPort This is the standard TCP port number of 51462 which must agree with the DestinationPort directive of the CO tsend cnf file discussed earlier For the CO tsend exe program to communicate with the CO trecv exe program this port number must be the same for both programs and any intermediate firewall or filtering router must have this TCP port number open There is generally no need to change this value TrapDestPort This is the UDP port number that the CO trecv exe program relays SNMP traps to on the local platform By default this is the standard port number of UDP 162 The value must agre
25. Rsmconfexe 21 22 45 Ruby 18 S Save 64 Schedule 48 Scheduler 48 Scom 13 61 Section Summary And Additional Notes 22 38 46 56 Security 5 6 16 28 30 31 46 66 68 73 74 78 84 Security Windows Event Log Severities 84 Sender 6 21 22 47 48 49 50 Sender CO tsend Tunnel 47 Sendlog 6 18 19 20 Sendlogexe 18 19 20 Services 48 Setting 22 42 Settings 68 Setup 26 59 Severities 28 77 84 85 Severities Facilities And 77 Severities Windows Security Event Log 84 Severities Windows System Event Log 84 Severity 30 77 81 83 84 85 Severity Mapping 83 Shooting 65 Sigma 13 67 Sigma encrypt data 20 22 69 Silent 58 Size 38 Smtp 78 Software 12 62 63 Software Re installing 12 Source 60 63 Space 10 CorreLog WTS Page 97 Special Log File Names 36 Specific Example 62 Specifications 24 28 29 33 37 Specifications Event Log 28 Specifications Log File Monitor 33 Specifications Notes On Event Log 29 Specifications Other Notes On Log File Monitor 37 Standard 61 Start 7 48 Startup 38 49 Steps 10 Steps Basic Installation 10 Success 30 68 84 Summary 22 38 46 56 Summary Section And Additional Notes 22 38 46 56 Sunday 36 Sysidestport 53 Sysloglistenport 52 System 10 16 25 28 30 42 43 48 73 78 84 System Windows Event Log Severities 84 T Task 16 55 Their 78 81 Time 32 33 36 Time zone 3
26. Special Log File 36 News 78 Normally 55 Notepad 48 49 50 Notes 13 22 29 37 38 46 56 64 Notes Additional 13 64 Notes Other On Log File Monitor Specifications 37 Notes Section Summary And Additional 22 38 46 56 Notes On Event Log Specifications 29 Notice 81 84 85 CorreLog WTS Page 95 Number 24 Number Destination Address And Port Directives 24 O Operation 59 Optional Parameters Section 26 Oracle 33 34 38 71 Other Notes On Log File Monitor Specifications 37 Overview 6 P Package 13 60 61 62 63 Package Creating Custom MSI 61 Page 87 Parameters 24 25 26 58 72 Parameters Optional Section 26 Parameters Remote Configuration 25 Parms 42 43 PassKey Configuration 43 Passkey 43 Path 63 Percent 36 Perl 18 66 80 Platform 48 49 Policy 68 Port 24 25 26 Port Destination Address And Number Directives 24 Ports 10 Printer 78 Procedure 50 Product 63 Program 9 16 18 20 21 28 58 59 61 Programs 13 Properties 66 67 Protection 12 R Re installing 12 Re installing Software 12 Receiver 47 48 Recycle 9 13 Redhat 80 Reference 5 54 65 72 CorreLog WTS Page 96 Remote 6 24 25 26 28 41 42 43 44 45 58 Remote Config Via CorreLog Web Interface 43 Remote Configuration 41 Remote Configuration Parameters 25 Requests 42 Requirements 10 Requires 58 Reserved 65 Rights 65 Routers 6
27. age 25 Alternate and Auxiliary Syslog Destinations The Primary Destination Address and Destination Port directives discussed previously have special properties Both of these values must be at the top of the file and cannot be reconfigured remotely The user must edit these values by hand such as with the Setup Wizard or via the Agent Configuration tool An administrator can add AuxAddress directives to the file to send the syslog message information to other locations Zero to eight of these directives with IP address values can be added to the configuration file and any messages generated by the agent program will be sent to these addresses The AuxAddress value does allow remote configuration and does not encrypt the syslog messages The value extends the role of the agent to include other syslog collectors including other CorreLog Servers as part of the collection strategy For example the AuxAddress value can be used to send messages to a failover device a redundant collector or a different department within the enterprise To disable this function remove the AuxAddress directive or set the value to a non valid address such as 1 Optional Parameters Section Following the Remote Configuration directives and Auxiliary Syslog Destinations if any are a series of optional parameters These can be commented out or deleted The Optional Directives that can appear in the file are as follows MessagePref
28. ain server platform The information on how to install and configure this program was CorreLog WTS Page 56 discussed in a previous section of this manual and is not documented within the CorreLog User Reference Manual Buffering Data Functions The CO tsend exe program provides the special function of buffering data should the connection between the program and CorreLog become unavailable This is useful if CorreLog or an intermediate router or switch is rebooted or if a connection is otherwise unavailable In this case the CO tsend exe program will temporarily store up to 10 000 messages and resend these messages when the connection is re established Normally the BufferData configuration value is set to False On some versions of CorreLog this directive may not appear in the default configuration file in which case buffering is not enabled To enable buffering the administrator must set this value to True Buffering the data can interfere with any alerts configured in CorreLog since buffering is not a real time operation When the connection between the CO tsend exe program and CorreLog is re established all messages that have been buffered are resent and each message includes a flag that indicates the amount of time the message was delayed This flag can be used to exclude retransmitted data from alerts threads and triggers The CO tsend exe program additionally sends a message indicating the amount of time t
29. all if any such as with the following command Msiexec x wt agent msi Note that the MSI package is particularly lightweight contains only core and essential files and does not include the documentation found in the wt silent exe program or any extra utilities found in the wt silent exe package other than the sendlog exe program Creating A Custom MSI Package If the user wishes to create a custom MSI package rather than using the standard wt agent msi package documented above the user can create an MSI package from the CorreLog WTS distribution files in a variety of ways using several public domain programs This permits the CorreLog WTS to be remotely deployed using Microsoft SMS or some third party Windows software deployment system including repackaging of the files and configuration data CorreLog WTS Page 63 There are various ways of creating an MSI package depending upon the packaging software that you are using The basic steps to creating an MSI package for the Windows Tool Set are as follows 1 Install the CorreLog Windows Tool Set system on a test computer using the standard Windows Based setup program documented in Section 2 of this manual 2 Stop the CorreLog Syslog Message Service on the platform using the Windows Service Manager and verify that the CO sysmsg exe program as stopped 3 Optionally make any additional changes to the CO sysmsg cnf file such as adding any special filters or conf
30. alled using the command line options The precise steps needed to manually install the CO tsend exe program as a service are as follows 1 Copy the CO tsend exe and CO tsend cnf file to the target Windows platform to any folder on that platform Both files must appear in the same folder No other files are required 2 Edit the CO tsend cnf file copied above using Windows Notepad or some other text editor as described in step 2 of the previous procedure Supply values for the DestinationAddress and EncryptKey parameters as described above 3 Install the CorreLog Tunnel Sender service by issuing the following commands at a command prompt CO tsend install CO tsend mode auto CO tsend start No other steps are needed to configure the CO tsend exe program The above commands entered at a Windows command prompt will install the service set the startup type to be automatic and start the service The CorreLog Tunnel Sender Service entry will appear in the Windows Service Manager screens and the CO tsend exe program will appear in the Windows task manager Note that the CO tsend exe program provides command line arguments that are the same as the CO sysmsg exe program The user can install remove start stop and check the service via arguments Type CO tsend exe help for brief help on program usage Any errors during program startup or execution will appear in the CO tsend log file in the same
31. alue for DestinationAddress to be the IP address of the CorreLog server platform configured earlier Also set the value for EncryptKey to be the same value used in the CO trecv cnf file as described earlier 3 Go to the Windows Service Manager in Windows Control Panel Administrative Tools and click on the CorreLog Tunnel Sender Service entry Set the Startup Type to automatic and start the service The only two required settings in the CO tsend cnf file are the EncryptKey value which must agree with the CO trecv cnf file and the DestinationAddress value which must be the IP address where the CO trecv exe program is executing After completing the above steps verify that the CO tsend exe program has correctly started on the platform using the Windows task manager Any errors during program startup will appear in the wintools CO tsend log file Optionally test the service using the sendlog exe program You can send a Syslog message to the platform where CO tsend exe is executing and the log message should appear correctly in the main CorreLog server as if it was sent to the server directly CorreLog WTS Page 51 Manual Alternate Client Installation Procedure The CO tsend exe program is a stand alone utility Although it is installed and partially configured by the WTS installation dialog it can also be copied to any Windows platform to any folder along with its configuration file and inst
32. and port number the configuration file contains a number of other settings that can be used to specify log files in addition to the Win32 Event Log files as well as match patterns that set the facility and severities of the various Syslog messages The file contains the following sections e Destination Address And Port Number The top of the file contains the destination and port number for Syslog messages e Remote Configuration Parameters The next section of the file contains information regarding the remote configuration capability of the program including the type of authentication and optional passkey required to permit remote configuration e Optional Parameters Following the above fields the user can specify ancillary parameters such as whether encryption is to be used e Event Log Specifications Following the Optional Parameters section are multiple entries that list all the Win32 event logs and the facilities to use for each event log The user can configure multiple match patterns for multiple facilities and severities using the MatchKeyWord directive e Log File Monitors Following the Event Log specifications are multiple entries that allow the user to specify zero or more streaming log files which can be continuously monitored by the program The user can configure multiple log files each with multiple patterns to control multiple facilities and severities using the MatchKeyWord directive Each
33. aultSeverity disabled UseSeverity info MatchKeyWord bad password MatchKeyWord successful logon type 2 UseSeverity notice MatchKeyWord change password attempt MatchKeyWord account deleted MatchKeyWord account disabled UseSeverity warning MatchKeyWord policy change MatchKeyWord account created MatchKeyWord account enabled UseSeverity error MatchKeyWord account locked out User can configure other Security severities and facilities here UseFacility local7 MatchKeyWord keyword MatchKeyWord keyword UseFacility locals MatchKeyWord keyword MatchKeyWord keyword UseSeverity debug MatchKeyWord keyword MatchKeyWord keyword UseSeverity critical MatchKeyWord keyword MatchKeyWord keyword HHP PH Hee HPP RPP ROO OP OR OOO OR OO OH EH The next section provides a list of filenames match keywords and the facility and severity of the resulting syslog message NOTE After starting the LogFile section no further EventLog directives should appear in the file LogFile program files filel log LogName FILE1 Encoding Default MaxSizeChange 10000 DefaultFacility user DefaultSeverity disabled CorreLog WTS Page 76 HE HHH HH HE HH HE UseFacility MatchKeyWord MatchKeyWord UseFacility MatchKeyWord MatchKeyWord UseSeverity MatchKeyWord MatchKeyWord UseSeverity MatchKeyWord MatchKeyWord
34. can be used to monitor multiple and arbitrary streaming log files on the system This function can be used independent of the Windows Event Log and permits an administrator to instrument special log files such as the Apache HTTP server logs Oracle Database error logs and many other logs on the system Only streaming text type log files can be monitored That is the log file must be normally appended with text information with new information tacked on to the end of the file The program cannot monitor files that continuously change size or are written in reverse chronological order or are not mainly ASCII text Fortunately this type of log file is uncommon the vast majority of error logs transfer logs and transaction logs are streaming text growing in size and reset only occasionally These log files can be monitored quite easily The Log File Monitoring capability is an integral part of the CO sysmsg exe program and is quite powerful This function by itself may very well justify the installation of the CO sysmsg exe program irrespective of whether an administrator wishes to monitor the native Windows event logs Log File Monitor Specifications The Log File Monitor directives are similar to those used in Event Log Monitoring discussed previously Following the Event Log Specifications the user can configure one or more log file monitors default facilities and severities and match patterns that overwrite these defaul
35. cations and requirements with special emphasis on security and reliability of message delivery CorreLog WTS Page 49 Basic Installation CorreLog Server Platform To configure the CorreLog Tunnel Sender and Receiver programs the user must have access to both the Windows client program and the central CorreLog server program The user must perform a one time installation and configuration of the CO trecv exe program at the main CorreLog platform as follows 1 Log into main CorreLog server platform as an Administrator Note This is the platform running the CorreLog HTTP server and CO syslog exe process and not the Windows client program 2 At the main CorreLog server platform edit the system CO trecv cnf file using Windows Notepad or some other text editor Provide a value for the EncryptKey setting Remember the value for this encryption key because it will also be entered at each platform The user can elect to use the Default encryption key if no special encryption requirements exist The encryption key can be arbitrarily long and consist of any alphanumeric characters including spaces 3 Log into the CorreLog server web interface with an admin type logon 4 Click on the System gt Schedule tab of the web interface This displays the CorreLog Scheduler screen which describes controls the startup and periodic execution of CorreLog processes Click AddNew to add a new entry 5 On the AddNew Entry
36. cept in those very special circumstances where the CO sysmsg exe program is executing on a detached network where security is not a concern Auth Mode 1 Setting the ListenAuthMode to a value of 1 causes authentication of remote configuration requests based upon the IP address of the requesting platform If this auth mode is used then any remote configuration request to the CO sysmsg exe program that originates on a platform other than the localhost 127 0 0 1 address or the value of the DestinationAddress directive is rejected The requesting program must be at the location that receives the Syslog messages or on the localhost Auth Mode 2 Setting the ListenAuthMode to a value of 2 causes authentication of remote configuration requests solely based upon the configured passkey The value of the ListenPassKey value must agree precisely with the value passed to the rsmconf exe program discussed below or the value configured at the CorreLog Server platform on the System gt Parms screen Initially both of these passkey values are set to the keystring Default so no special configuration is required out of box Auth Mode 3 Setting the ListenAuthMode to a value of 3 causes authentication of remote configuration requests to occur based both on the passkey used in Auth Mode 2 and the source IP address used in Auth Mode 1 This is the most secure way of managing the remote configuration process and is the default out of box se
37. ch file The value of the product title should agree with the value configured in the INSTALL bat file in this case the keyword CorreLog Build the package using the Package gt Build menu item and specify the location of the resulting msi file The utility prompts for the location of the correlog mcr file When finished the correlog msr and correlog msi files will have been created You may discard the correlog msr file after the MSI file is created It will not be needed or used again Once the msi file is created execute Corner House Software msilaunch program and select the correlog msi file created above Use the File gt Open menu item of the msilaunch program to select the file This will display a listing of the files within the MSI package and a series of checkboxes 10 Check the INSTALL bat file This will cause the INSTALL bat file to be automatically executed once the MSI files have been installed CorreLog WTS Page 65 11 Save the MSI package using the File gt Save menu item 12 Test the MSI package using the standard msiexec Windows utility and verify that the package correctly installs The msiexec program contains multiple command line options Use the following command to run an unattended installation msiexec i correlog msi The above procedure creates the correlog msi file which can then be used with Microsoft SMS or other software distribution packages to remotely
38. codes are useful for categorizing the message at the Syslog receiver program Although these values are expressed by their numeric values they are easily referenced Executing the sendlog program with no command line arguments will display a list of all the numeric severity and facility numbers along with brief notes on usage The WTS also includes the Wsendlog exe utility discussed later in this section which provides an identical function to the Sendlog program except provides a user friendly Windows dialog to the user See below Encrypting Data The SIGMA ENCRYPT DATA environmental if set to any value will cause the sendlog program to encrypt data it sends This environmental variable should be used ONLY if the destination address is the CorreLog Server The environmental variable can be set to any value can be set by the administrator or can be set in a batch file which launches the sendlog exe program Note that this environmental variable affects only the sendlog exe program and does not affect the CO sysmsg exe process discussed earlier The CO sysmsg exe program can also encrypt data but that control is located in the configuration file for the program discussed in the next section Using an environmental variable rather than a command line option makes the usage of the sendlog exe program easier because the user does not have to remember another command line argument However the more important rea
39. default TCP port number used for communication between the CO tsend exe and CO trecv exe programs is TCP port 51462 This value can be changed However if the value is changed in one configuration file it must be changed in all configuration files 4 Exactly one copy of CO trecv exe should normally be installed to accept messages from one or more CO tsend exe programs The user can install one CO tsend exe program and direct all traffic to that program or can install multiple copies of the CO tsend exe program such as one copy on each Windows platform CorreLog WTS Page 58 Section 7 Automatic Deployment Manual installation of the CorreLog WTS can be done quickly within an enterprise and provides a highly controlled rollout of the agent software Typically a manual installation of the software requires only a few minutes per target platform including the time to log into the target platform acquire the software from the CorreLog home page and run the installation procedure Even though manual installation is fast and easy some enterprises may find it desirable to perform an automated deployment of the CorreLog WTS across hundreds or even thousands of different system This section provides procedures and methods to assist with automatically deploying the CorreLog WTS to multiple Windows platforms The CorreLog Windows Agent can be installed using a silent and or unintended installation procedure using standard using dep
40. deploy the CorreLog Windows Agent and WTS package across multiple Windows platforms in your enterprise Additional Notes 1 The wt silent exe program performs a silent installation of the Windows agent and can be used in remote software deployment The CSetup exe program can be used to perform a command line installation of the Windows agent and provides extra capabilities such as in creation of self extracting WinZip files and MSI files In addition to using an MSI file a self extracting WinZip program or other installation software can execute the CSetup exe program possibly within a CMD prompt or batch file Caution may be necessary to insure that the CO sysmsg exe program is not already executing when the installation takes place because the CO sysmsg exe program cannot be overwritten by new installation software if it is in use by the operating system The wt silent exe program will attempt to uninstall any existing version of the program before installing the new one The CSetup exe program will uninstall the WTS from the service manager and then re install itself thereby permitting the user to change the location of the Windows Tool Set software to another pathname This greatly simplifies the relocation of the WTS software if that is needed CorreLog WTS Page 66 Section 8 Trouble Shooting amp FAQs This section finishes this manual by discussing common problems encountered by CorreLog WTS administrators
41. directory as the CO tsend exe and CO tsend cnf file You may test the service s operation by sending a Syslog message to the platform where the CO tsend exe is executing The log message should appear correctly in the main CorreLog server as if it was sent to the CorreLog server directly Firewall Configuration A main application of the CO tsend exe program is to permit tunneling through firewalls In this case the administrator configures a single copy of the CO CorreLog WTS Page 52 tsend exe program on a Windows platform and then directs all SNMP traps and Syslog messages to that platform The administrator can then open up a single port in the firewall to permit traffic between the CO tsend exe and CO trecv exe program By default the CO tsend exe and CO trecv exe programs communicate across the TCP port 51462 This can be changed in the configuration files of the programs Both programs must have the same port number specified in their configuration files Generally there is not much need to specify a different port number since this number is quite obscure However if the port number is changed the configuration files of the CO trecv exe and CO tsend exe programs must both be changed to permit proper communications Note that the CO trecv exe program running at the CorreLog server platform can service any number of CO tsend exe programs Generally there will be only one copy of the CO trecv exe program executing a
42. e With CSetup exe The CSetup program in addition to working as a command line program for installing the agent has the unique capability of being prepended to a file such as to create a custom installer For example to create a custom installer with a unique configuration file the user can unzip the CorreLog agent package apply custom configuration Such as a new configuration file or other changes and then zip the program back together with the custom changes The new zip program can be created by the free Info Zip software or by standard WinZip Once a new zip file is created the CSetup exe program is prepended to the package using the copy b utility For example to prepend the CSetup exe program and the Info Zip self extractor available from Source Forge and other locations the following command can be executed copy b CSetup exetunzipsfx exe wt agent zip wt cust exe In the above command a new package wt cust exe is created from an existing zip file The CorreLog Csetup exe program is prepended to the start of the file followed by the Info Zip unzipsfx exe program followed by the wt agent zip zip file created earlier When the above wt cust exe program is executed at a command prompt with a required IP address argument the program extracts the files including any customized changes and installs the agent program in the local directory Note that the unzipsfx exe program is not included in the Corr
43. e configured destination host which may require modifications to firewalls and port blockers Additionally the CorreLog WTS will listen at TCP 55514 for optional remote configuration requests To insure proper installation of the program the user should close all windows and temporarily disable any port blocking or Virus Scan software on the system Reboot after installation is not required Basic Installation Steps The precise steps needed to install the CorreLog WTS program on a target platform are detailed in Section 2 of the CorreLog Web Framework Users Manual These steps are also outlined below 1 Login to the target platform with Administrative permissions 2 If the platform is running port blocking or Virus Scan software this software should be disabled during the installation 3 Download a copy of the CorreLog WTS files One location to obtain these files is from the Home screen of the central CorreLog Server The user runs a web browser on the target machine connects to the CorreLog CorreLog WTS Page 10 server and then downloads the CorreLog WTS files by clicking the Download Tool Set Here hyperlink on the Home screen Other methods of obtaining the executable program include mapping disk drives or using FTP 4 After downloading the CorreLog WTS package execute the self extracting WinZip file and extract files to the target directory by default the C CorreLog directory 5 When the
44. e with the ListenPort value of the CO systrap cnf file in the system directory of the CorreLog server There is generally no need to change this value Sys IDestPort This is the UDP port number that the CO trecv exe program relays Syslog messages to on the local platform By default this is the standard port number of UDP 514 The value must agree with the CorreLog WTS Page 55 udp port number value of the syslog cnf file in the system directory of the CorreLog server There is generally no need to change this value MatchAddress This directive is an IP address or wildcard in the form which can limit the location of CO tsend exe programs which are send messages to the CO trecv exe program The user can leave the default value to match all IP addresses or specify a subnet such as 10 30 or 10 15 8 or can specify a precise IP address This provides extra security by limiting the range of devices that can access the TCP tunnel Note that this is the IP address of the CO tsend exe program and not the IP address of the devices actually sending messages ErrorSeverity This directive indicates the severity of any authentication error generated by the program due to a fault encryption key or failure of a program to match the MatchAddress directive The value can be set to disabled to prevent any Syslog messages from being generated by the CO trecv exe program however authentication errors are extremely u
45. eLog distribution This is a free utility available from a variety of web locations Contact CorreLog support for details on how to acquire this utility CorreLog WTS Page 62 Standard CorreLog Wt agent msi Package The CorreLog Server site contains a wt agent msi package in the s doc directory of the installation suitable for use with remote agent deployment using a variety of deployment software including Microsoft SCOM and SMS This package contains the latest agent for the site and directly supports remote installation The wt agent msi package is interoperable and standards based but usage of the program requires the end user software deployment system to accept arguments to the MSI file If this restriction prevents the usage of the MSI file given end user resources the end user should create their own MSI package as discussed in the next session Specifically the destination address for syslog messages must be passed to the MSI installer such as follows Msiexec i wt agent msi dest 10 1 2 3 The above command installs the wt agent msi distribution pointing to the destination address of 10 1 2 3 The actual IP address specified above is placed in the CO sysmsg cnf file on installation When installing the MSI package the actual agent files are placed in the Program Files CorreLog directory of the managed platform After performing an MSI installation the software deployment tool should manage the uninst
46. entifies the default facility code used in all messages that are logged to the specified EventLog DefaultSeverity This directive is must be preceded by the EventLog directive The value specifies a severity name which identifies the default severity code used in all messages that are logged to the specified EventLog This directive can be a number between 0 emergency and 7 debug or can be an official severity name or can be one of the special values of auto or disabled The value of auto indicates that the severity is automatically set according to the built in type of event message The value of disabled indicates that no messages are sent unless the message specifically matches a MatchKeyWorda directive UseFacility This directive may follow the DefaultFacility directive and is followed by one or more MatchKeyWord directives This directive starts a series of match patterns any of which will cause the UseFacility value to be specified as the message facility This provides a way of using a facility based upon the content of a message The value must specify a facility name or an Official facility number between 0 and 23 which identifies the facility to use if any of the match patterns that follow are satisfied This directive is not meaningful unless immediately followed by one or more MatchKeyWord directives described below Multiple UseFacility directives each followed by multiple MatchKeyWord
47. equire program maintenance and will not interfere with other system processes The system configuration file discussed in the next section of this manual is ready to run and does not require any customization other than the destination Syslog host supplied by the installation dialog However the WTS programs have various command line options and capabilities available for general users documented in this section Specifically the CO sysmsg exe program has a comprehensive configuration file that is easy to understand This service is designed to be easily modified and configured such as to monitor streaming log files The sendlog exe program is specifically supplied to permit users the ability to send arbitrary Syslog messages and support user scripting For example the sendlog exe program can easily be incorporated in any Windows batch file to send notifications to the CorreLog or other Syslog server This section provides detailed notes on the WTS tool command line options and application notes suitable for use by administrators and developers wishing to extend the Windows Syslog monitoring capabilities of their organization The section will be of interest to other users wishing to assess the capabilities of the WTS tools and Syslog protocol in general CorreLog WTS Page 15 The CO sysmsg exe Program The CO sysmsg exe program normally residing in the CorreLog wintools directory executes as a single persistent background proce
48. ers News These are messages related to the Network News processes which have been fairly deprecated although are still found on many Unix and mainframe systems This facility is sometimes used to indicate low severity news events such as a system being brought down Network These messages are related to the Unix uucpd process UUCP is an acronym for Unix to Unix Copy They may also refer to network events such as interfaces being enabled or disabled CorreLog WTS Page 80 Lock This facility is listed in the RFC as clock but is often renamed as lock and used for locking mechanisms such as file locking queues It is often substituted for the Clock 15 facility code It may on some systems be identical to the Clock 15 facility Auth This is similar to the Security 4 facility but is generally reserved for authorization errors such as invalid logins It is somewhat synonymous with both Security 4 and Audit 13 It represents one of the areas of the RFC that is not clearly delineated hence is subject to interpretation FTP These messages are related to the Unix ftpd process and FTP program which is somewhat deprecated but still in use This facility is sometimes used for non F TP protocol messages related to file transfers NTP These messages are related to the Unix ntpd News Transport Protocol processes T
49. factory for the vast majority or perhaps all of the event log messages generated by a Windows platform for most applications It is quite possible and even likely that a message s content might match multiple UseFacility or UseSeverity statements In that case the following rules apply If a message matches multiple UseSeverity statements then the severity that is actually used will be the highest severity actually the lowest number of any severity matched For example if a message matches two UseSeverity statements one of which is info and one of which is critical then the critical severity is used in the transmitted message Likewise if a message matches multiple UseFacility statements then the facility with the highest number facility code is used as the facility in the transmitted message If no facility is matched but a severity is matched then the DefaultFacility is used The Special disabled Severity There is no explicit ExcludeKeyWord type of statement However the user can easily exclude any message with a particular content by specifying a UseSeverity statement with a severity of disabled This special severity is the CorreLog WTS Page 31 highest rank actually the lowest number and permits the user to filter or exclude any keyword that matches one of the MatchKeyWord directives For example the user can configure a directive s
50. fically target a key set of messages using this technique The LogStatChange directive permits the user to monitor for the existence or modification of any file system object This directive should not be used with any UseFacility or UseSeverity values or any MatchKeywords The directive permits the operator to watch for changes to critical file system objects such as password files configuration files or directories This directive can be used only with the LogFile directive CorreLog WTS Page 39 Finally note that there is a special and optional MaxSizeChange directive associated with log file monitoring If the log file jumps to a very large value rather than sending out many Syslog messages the program sends out a single File Size Changed Syslog message to indicate this condition This prevents a situation where the administrator truncates the file by hand or copies some other file on top of the monitored file as may often occur Section Summary And Additional Notes 1 The CorreLog Syslog Message Service configuration file resides in the same directory as the CO sysmsg exe executable and is the CO sysmsg cnf file By default this file is located in the C CorreLog wintools directory 2 This file is read on Service Startup and contains the name of the destination host as well as other directives 3 The file does not need to be modified and comes ready to run However a user can tailor the file
51. g server via the System gt Parms tab Because this value is well known it is important to change this value across the enterprise when relying solely on passkey authentication In general for extra security the passkey should be used to supplement the source IP address authentication There is no downside to using passkey authentication other than making firewall issues slightly more complex to troubleshoot The passkey is not transmitted across the network in clear text The value is encrypted hence is secure from attack by network sniffers However the value is in clear text within the CO sysmsg cnf file hence this file should be protected from unauthorized access such as by limiting access to the host machine Remote Config Via The CorreLog Web Interface To execute a remote configuration operation at the CorreLog Web interface the user may first need to enable remote configuration by accessing the Device Information screen for the host device This is accomplished by clicking on the target device hyperlink found in various locations within CorreLog in particular in the Messages gt Device tab To enable remote configuration on the CorreLog Device Information screen the user clicks the Edit Device Info hyperlink and sets the value of Enable Remote Config Editor to be Yes and commits the data This causes a new Edit Remote Config link to appear on the Device Information screen whenever CorreLog WTS Pa
52. ge 45 it is accessed Clicking the Edit Remote Config hyperlink will download the remote configuration permit editing and uploading of this data When the user clicks on the Edit Remote Config hyperlink the CorreLog Remote Configuration Editor screen downloads the remote configuration and displays an edit dialog that permits the user to modify and upload the data back to the CO sysmsg exe process This Remote Configuration Editor screen is depicted below iix File Edit View Favorites Tools Help I Fr gt address Ea a Re w Advisory CorreLog Search Query More User admin En um CORRELOG Home Dashboards Correlation Alerts Tickets Reports System Help oe Devices Facilities Severities Aux Config Edit Remote Config CorreLog Agent Config Data Host 127 0 0 1 Reset Check Upload gt GA A CO Sysmsg CorreLog Syslog Message Service Configuration File Version 5 X X See CorreLog Windows Tool Set Reference Manual for detailed notes Copyright c 2008 2013 CorreLog Inc All rights reserved http www correlog com The following two items are the only items actually required They are configured manually or by the installation procedure and are not affected by remote configuration operations Destinationiddress X X X X DestinationPort x Enable processing of Unicode character sets Unicode True Load Default Agent Configuration File _ Default Con
53. hat the connection was unavailable and the amount of messages lost if the buffer size is exceeded Finally note that the BufferDelaySecs if it exists can control when the program attempts to retransmit data Normally the retransmission occurs approximately once each second The value can be increased to marginally improve performance especially if the intermittency is known to be a certain duration such as 300 seconds or so Troubleshooting Information The most common reasons for failure are as follows 1 A firewall port blocker or filtering router does not permit communication between the CO tsend exe and CO trecv exe programs via the configured port number by default the TCP port 51462 The user should check the firewall configuration or use the telnet command to verify that the CO trecv exe program is reachable from the CO tsend exe program The user should also verify that no port blocking software such as found in many common Virus protection programs is preventing communication between the two programs CorreLog WTS Page 57 2 The CO tsend exe and CO trecv exe programs are not executing The user should verify via the Windows Task Manager that these programs are running If these programs fail to start the user should check the respective error logs either the CO tsend log or CO trecv log files located in the same folder as the executable programs 3 The CO tsend exe program does not have the Destinat
54. his is somewhat deprecated but can still be found on a variety of Unix platforms Audit This is similar to the Security 4 and Auth 19 facility codes but mainly appropriate for audit processing including performance monitoring For example a performance monitor might use this facility to periodically send the disk space and disk utilization statistics to the Syslog process for data collection The messages that use this facility should be pertinent to performance reporting Alert This is a general purpose hence heavily overused facility to indicate an Alert condition This may be somewhat confusing because this is really a severity rather than a facility Ideally these messages would represent problems with the alerting process rather than actual alerts Clock These messages are related to the Unix clock daemons and other processes involved with time synchronization and maintenance This facility is also sometimes used to mark event times such as by issuing a Syslog message via the Unix cron or Windows at program Some scheduler programs use this facility Occasionally due to ambiguities in the RFC this facility is confused with and substituted for the Lock 9 facility CorreLog WTS Page 81 Localo This is a user definable facility used by Cisco and many other vendors It is of the used in application software and is an ideal candidate for being modified
55. iguration directives to the file The DestinationAddress does not need to be set in the configuration file since the CSetup exe program automatically configures this value 4 Run the MSI packaging software to package the files into a msi file This creates a distribution package specific to your enterprise Make sure that the packager executes the CSetup exe program as a final step in the installation passing this program the correct destination IP Address of the CorreLog server 5 Test the MSI package using the standard msiexec Windows utility and verify that the package correctly installs MSI Package Creation Specific Example Numerous low cost and free utilities exist for creating MSI packages For example the msicreate and msilaunch utilities provided by Corner House Software Inc are freely distributed MSI packager programs that can be used in the absence of any other MSI packaging software These utilities can be located via a web search and downloaded to your enterprise Using the Corner House Software utilities the specific steps needed to create an MSI package are as follows The procedure below assumes that the operator wishes to install the MSI package in the C Program Files CorreLog directory 1 Obtain and install the msicreate and msilaunch utilities Contact CorreLog Inc for help as needed 2 Install the CorreLog Windows Tool Set software on a test computer using the standard Windows Ba
56. ile By executing the CO install exe program the service is stopped removed re installed and reconfigured with the user specified destination host The platform will generally not have to be rebooted during any installation However under certain rare circumstances such as if the CO sysmsg exe program has some conflict with third party software it may be necessary to re initialize the entire platform by rebooting before performing a re install CorreLog WTS Page 12 Uninstalling the CorreLog WTS The CorreLog WTS is uninstalled via the Add Remove Programs windows facility The user navigates to this screen via the Control Panel and clicks on the CorreLog Syslog Message Server entry to execute the Uninstall program The user follows the instructions of the dialog to uninstall the CorreLog Framework system Note that unlike many uninstall programs the CorreLog Framework files are left intact on the disk Following the uninstall procedure the user must physically remove these files such as by dragging the CorreLog root directory to the Microsoft Windows Recycle Bin This extra step safeguards any accidental removal of data on the system Installing WTS via an MSI Package Most versions of the CorreLog Server system incorporate an MSI package that assists with automated or remote installations This MSI file normally resides in the following location of the CorreLog Server site C CorreLog s doc wt agent
57. ile from various locations In particular the user can download this package with a web browser directly from the CorreLog Server Home screen e The user executes the self extracting WinZip file and extracts files to the desired location by default the C CorreLog directory of the platform e When the files are extracted the installation dialog automatically starts The user needs to provide only one argument to the installation dialog which is the destination hostname or IP address of the Syslog server running on the network This will generally be the hostname or IP address of the platform running the CorreLog Server software e When the dialog finishes the CorreLog Syslog Message Server is installed and started The user can check the Syslog file of the destination host to verify that a Syslog message was correctly sent and received The platform does not need to be rebooted The entire installation steps outlined above will usually take about one minute or so to complete An Administrator type login is required If the installation fails for example if the installer mistypes the destination hostname or IP address the installation procedure can be run again without running the uninstall program Future sections will describe in detail the various other features adaptations customizations and applications associated with the CorreLog WTS system The reader is encouraged to experiment with the system In particular al
58. ime Format specification into the file name This allows CorreLog to monitor log files whose names change each day CorreLog employs standard UNIX type time formatting of file names where the following symbols have special significance in a file name a Abbreviated weekday name A Full weekday name b Abbreviated month name B Full month name d Day of month as decimal number 01 31 H Hourin 24 hour format 00 23 Pl Hour in 12 hour format 01 12 j Day of year as decimal number 001 366 m Month as decimal number 01 12 M Minute as decimal number 00 59 U Week of with Sunday as first day 00 51 w Weekday as decimal number 0 6 Sunday is 0 W Week of year with Monday as first day 00 51 y Year without century as decimal number 00 99 Y Year with century as decimal number z Time zone name or abbreviation Percent sign For example consider the case where a log is created each night with the month and date and placed in a folder each night with the name of the specified year Such a file might be named Z logs 2014 ex0620 log The user can specify this file in the LogFile directive as Z logs Y ex m d log which will correctly resolve to the correct name without any further adjustments Log Name Wildcards In addition to including a date and time specification the user can also incorporate an asterisk character as part of the root filename used in the
59. ionAddress correctly configured This may be difficult to detect Double check the IP address by pinging the DestinationAddress node or use the telnet command to access the CO trecv exe program 4 The CO tsend exe program and CO trecv exe program do not have the same EncryptKey value If the CO tsend exe program sends a message with the wrong encryption key this will cause an Authentication error message to be logged at the main CorreLog console Check the CorreLog messages screen to see if such authentication errors are occurring As a final way of verifying operation set the LogLocal directives of both the CO tsend cnf and CO trecv cnf files to be True and try issuing Syslog messages via the sendlog exe utility The user can check the log files of the programs to see if the message reaches the CO tsend exe program the CO trecv exe program or neither Section Summary And Additional Notes 1 The CO tsend exe program can be configured at any Windows platform to create an encrypted TCP tunnel between that platform and the CorreLog server The CO trecv exe program runs at the CorreLog server and must be enabled in order to receive messages from the CO tsend exe program 2 Both the CO tsend exe and CO trecv exe programs make use of a configuration file with the same name as the program except with a cnf rather than an exe suffix These configuration files are located in the same folder as the program 3 The
60. ions center These messages might be incorporated into a batch file or might be the result of some program check that is launched periodically by the Windows scheduler Sendlog 127 0 0 1 This is a debug message The above command sends a message to the Syslog program running 127 0 0 1 The severity and facility is not specified These items default to the values of debug and user Sendlog 192 168 1 1 The system is restarting 6 The above command sends a message to the Syslog program running 192 16 1 1 The severity is info and the facility is not specified so defaults to user Sendlog myhost Error during file transfer 3 11 The above command sends a message to the Syslog program running at the myhost platform The severity is error and the facility is ftp The command is fully qualified and uses all the available arguments Note that the user can specify either an IP address or an official hostname as shown here Sendlog myhost stdin 6 11 lt filename The above command sends the contents of filename to the Syslog program running at the myhost platform The severity is info and the facility is ftp The command illustrates the usage of the stdin option which causes the Sendlog exe program to read standard input in this case the contents of filename terminating when the entire file is sent CorreLog WTS Page 19 As shown above the severities and facility
61. ious application programs However the native Windows platform does not support Syslog protocol This is easily fixed by installing the CorreLog WTS on the platform as described herein After installation event log messages will immediately begin forwarding over to the CorreLog Server permitting data aggregations and correlation The CorreLog WTS consists of the following programs e CorreLog Syslog Message Service This is a compact but powerful Windows service which listens for new events in the event log and then converts these events to Syslog messages The process uses minimal CPU and memory and runs as a normal Windows service on XP Vista and 200X servers e CorreLog Logfile Monitor Service This is a compact but powerful utility program actually incorporated in the CorreLog Syslog Message Service above but separately enabled which allows arbitrary log files to be instrumented with match patterns When specific match patterns are detected in streaming log files Syslog messages of the appropriate severity and facility are sent to the Syslog server program e CorreLog Sendlog Utility This is a simple utility that can be used in batch files and launched by application programs to send Syslog messages to a Syslog server host The utility is a completely stand alone executable that relies on no other files or DLLs in the system hence is easily adapted to user specific applications e CorreLog Remote Configuration Utility This
62. is a stand alone program that permits the user to download and upload the configuration file of the CorreLog Syslog Message and Logfile Monitor Service so that batch configuration of these programs can be remotely performed e CorreLog Tunnel Sender Service This is a program that can be optionally installed to send both Syslog messages and SNMP Trap messages to the CorreLog system using reliable and encrypted TCP This program provides the user with various important security options related to firewalls routing and extra encryption CorreLog WTS Page 6 The above programs are documented in this manual including installation and configuration along with extra application notes that describe how to perform advanced configuration of the system CorreLog Windows Tool Set Interoperability Note that although these programs contain special features such as data encryption that work with the CorreLog server the programs also work with any standard Syslog receiver Although this manual will assume that these programs are being installed to support the CorreLog server all information in this manual unless otherwise specifically noted can be generalized to apply to any Syslog receiver program running on the network Because the Syslog is highly interoperable the installer can leverage this standards based protocol to develop new management techniques that interoperate with a variety of other software Using CorreLog WTS with CorreLog
63. is file to specify the facility and severity codes used by the Event Log monitor The file also allows users to monitor arbitrary streaming log files on the system that is any file which is continuously appended such as Oracle error logs HTTP server logs and many other types of log files The CO sysmsg cnf file is documented in detail within Section 4 of this manual As stated in that section the configuration file does not necessarily EVER have to be modified by a user The default configuration created by the installation utility is adequate for many perhaps most environments However if the user wishes to create a highly customized installation targeting specific types of event log messages that capability readily exists through the directives in the file This file resides in the same directory as the CO sysmsg exe program which corresponds to the CorreLog Syslog Message Windows Service The file provided here is the default configuration that comes with the system CorreLog WTS Page 73 HH HHEHHHH HHH HHH HEE EEE EER RRRRRRR RRR OH OH CO Sysmsg CorreLog Syslog Message Service Configuration File See CorreLog Windows Tool Set Reference Manual for detailed notes Copyright c 2008 2015 CorreLog Inc All rights reserved http www correlog com H HHHHHHHHHHHHHHHHHHHHHHHHHHHHH HHH OH OH OH The following two items are the only items actually required They are configured manually or by the installati
64. itical significant or urgent or immediate error or fail or fault or crash or Error abnormal warning or caution or terminate Warning notice or start or Success Notice info Info debug or ignore Debug CorreLog WTS Page 87 For Additional Help And Information Detailed specifications regarding the CorreLog Server add on components and resources are available from our corporate website Test software may be downloaded for immediate evaluation Additionally CorreLog is pleased to support proof of concepts and provide technology proposals and demonstrations on request CorreLog Inc a privately held corporation has produced software and framework components used successfully by hundreds of government and private operations worldwide We deliver security information and event management SIEM software combined with deep correlation functions and advanced security solutions CorreLog markets its solutions directly and through partners We are committed to advancing and redefining the state of art of system management using open and standards based protocols and methods Visit our website today for more information yf ue NS CorreLog Inc http www CorreLog com mailto support CorreLog com CorreLog WTS Page 88 Alphabetical Index A Abbreviated 36 Additional Notes 13 64 Addnew 48 Address 24 25 26 43 62 63 72 Address Destination And Port Number Directives
65. ities Notice These are messages that are sent with the intention of being noticed They have a fairly significant level of importance A filter should generally not remove arbitrarily remove all messages with this severity Warning A significant message It signifies a non trivial degree of risk There may not be any corrective action needed with this type of message Error A highly significant message The message indicates that corrective action manual intervention or operational change is necessary Critical A critical situation exists that requires immediate attention All other activities should be set aside and the problem addressed as soon as possible Possible risk to security or data or infrastructure is eminent Alert An extremely critical condition exists that will require immediate intervention by the highest levels of management requiring whatever resources necessary to immediately fix Data has been lost security has been breached or infrastructure has been damaged Emergency This severity should NEVER be used reserved for situations where human safety or the over all health of the organization has been compromised or is in extreme jeopardy CorreLog WTS Page 83 CorreLog WTS Page 84 Appendix C Severity Mapping This section provides a reference guide explaining how the Windows agent assigns severity codes when the auto type severity is configured
66. ity name or an official facility number between 0 and y which identifies the severity code used in all messages that are logged to the specified The value of this directive is commonly disabled or 1 indicating that no message is processed unless in matches one of the UseSeverity patterns described below If this directive is omitted the default severity is assumed to be disabled CorreLog WTS Page 36 UseFacility This directive may follow the DefaultFacility directive and is followed by one or more MatchKeyWord directives This operates identically to the Event Log monitor directive described previously The directive is followed by a series of match patterns any of which will cause the UseFacility value to be specified as the message facility Multiple UseFacility directives each followed by multiple MatchKeyWord directives can be configured UseSeverity This directive is similar to the UseFacility directive above but affects the message severity instead of the facility code This operates identically to the Event Log monitor directive described previously The directive is followed by a series of match patterns any of which will cause the UseSeverity value to be specified as the message facility Multiple UseSeverity directives each followed by multiple MatchKeyWord directives can be configured MatchKeyWord This directive operates identically t
67. ix This is a phrase that will prefix any messages sent by the system If the directive is omitted the message is not prefixed by any special text This can be used to distinguish the messages such as by placing a keyword or the device name or the organization or some other keyword at the very start of any message The message prefix must be under 256 characters and can contain static text environmental variables delimited by characters and or a date and time specification MsgDelayMsecs This is an integer number ranging from 10 to 5000 indicating the number of milliseconds to wait after sending a message This is a way of throttling the number of messages that can be sent ranging from 10 per second to only 12 per minute This prevents any single Syslog process from flooding a Syslog message receiver The default value if this directive is omitted is 10 milliseconds CorreLog WTS Page 26 MaxMessageSize This is an integer number ranging from 200 to 5000 bytes indicating the maximum message size to be sent by the agent including message prefix facility and severity codes etc If the value is omitted the maximum message size is 500 bytes which is sufficient to capture virtually all message information without taxing disk resources This value is particularly important for Windows 2008 platforms which can generate highly verbose and non pertinent messages that waste disk space and correlation CPU time LogLocal This
68. lity Codes And Their Meaning The basic facilities defined by RFC 3164 are discussed below Kernel 0 These are messages related to the Unix kernel process or generated by very low level driver software and system programs User These are typically user defined messages This facility is used and over used as a central way of defining messages that have not been otherwise classified Mail These are messages related to the SMTP system Microsoft Exchange as well as mail relay systems and sometimes e mail programs System This is another catchall type of facility that is often over used but generally related to system services Unix daemons not otherwise classified It can also indicate Security These are messages related to security processing such as login detection virus protection and intrusion detection systems Other security related messages are found in the Audit 13 and Alert 14 facilities Internal Originally these were messages related only to the internal operations of the Syslog protocol process but have evolved to include general internal processes often related to performance monitoring but occasionally simply the internal workings of the system Printer These messages are related to the Unix Ipd process and can also indicate problems with printer hardware printer queues and other types of queues that are not particularly related to print
69. llowing parameters apply to the Windows Application log Eventlog Application DefaultFacility user DefaultSeverity auto User can configure other Application severities and facilities here UseFacility local7 MatchKeyWord keyword MatchKeyWord keyword UseFacility locals MatchKeyWord keyword MatchKeyWord keyword UseSeverity debug MatchKeyWord keyword MatchKeyWord keyword UseSeverity critical MatchKeyWord keyword MatchKeyWord keyword HHP PH Hee HPP PPP RPP RO OP OR OOO OR OO OO OH The following parameters apply to the Windows System log Eventlog System DefaultFacility system DefaultSeverity auto User can configure other System severities and facilities here UseFacility local7 MatchKeyWord keyword MatchKeyWord keyword UseFacility locals MatchKeyWord keyword MatchKeyWord keyword UseSeverity debug MatchKeyWord keyword MatchKeyWord keyword UseSeverity critical MatchKeyWord keyword MatchKeyWord keyword HHHHHHHHHHHHHHHHHHHHHHHHHHHH HHH OH OH OH 4 The following parameters apply to the Windows Security log This particular event log can be quite busy so the default severity is set here to disabled which requires particular matches to be CorreLog WTS Page 75 explicitly listed The following are typical and may be sufficient for many security applications Eventlog Security DefaultFacility auth Def
70. load ipaddr filename These command options download the remote configuration file from the specified IP address using the specified passkey The resulting configuration data is placed in the specified filename rsmconf upload ipaddr filename These command options upload the remote configuration file to the specified IP address using the specified passkey The data residing in the specified filename is uploaded rsmconf check filename These command options check the specified filename for errors This check is also always performed when using the upload option This permits the user to check configuration data that has been previously downloaded No passkey or IP address is specified or required Note that if the ListenAuthMode of the CO sysmsg exe process is set to a value of 1 or 3 the rsmconf exe program can only be executed on the platform specified by the DestinationAddress If the ListenAuthMode is set to 2 or 3 then the passkey must be correctly specified otherwise it is ignored The rsmconf exe program is especially useful in performing batch configure operations where the command is repeated multiple times within a Windows bat file needed to effect reconfiguration on many different platforms CorreLog WTS Page 47 Other Security Features Any attempt made to access the CO sysmsg exe program without proper authenticated credentials causes the CO sysmsg exe program to transmit a Syslog message to the destinati
71. lowing the optional parameters section are the event log specifications Each event log on the system is identified along with the default facility used for any message associated with the particular log Additionally each log can have a series of UseFacility and UseSeverity statements each associated with MatchKeyWord values This permits the user to fine tune the Facilities and Severities of messages The following directives are supported EventLog This directive is followed by the name of a Windows Event Log either Application System Security or some other event log name that appears in the Microsoft Local Event Viewer Program All the directives that follow delineated by the next EventLog or LogFile directive apply to the specified Event Log Note that on Windows 2008 and later systems the user may also specify a Windows Application Log in addition to the standard event log See additional notes below Formatter This directive if it is present can be used to specify or change the formatting of event log messages for the particular event log Generally this setting should not be specified and is available for system level debug Contact CorreLog support for specific information DefaultFacility This directive is must be preceded by the EventLog directive The value specifies a facility name or an official facility number between 0 and 23 CorreLog WTS Page 28 which id
72. loyment software such as Microsoft SMS The CorreLog WTS includes the wt silent exe program in the s doc of the CorreLog distribution which permits the system to be installed via a command line option in a fashion identical to the standard agent installer The details of this program are discussed in this section Automating the deployment of any software system incorporates certain risks Before executing an automated deployment the automated installation procedure should be carefully tested on a variety of different platforms to insure proper operation While the Windows WTS does not pose any special hazards beyond that of normal software installations experience shows that certain common problems such as firewall and networking issues should be considered as part of the software installation process CorreLog WTS Page 59 Silent Agent Installation Program The wt silent exe program is a standard feature of current CorreLog versions residing in the s doc directory of the CorreLog Server The program allows the agent program to be installed at a command line without a GUI or console The program accepts a single argument which is the destination IP address to send messages to Otherwise the program operates in a fashion identical to the standard installer For example to install the agent program and send destination messages to the CorreLog server executing at 192 168 1 1 the following command can be executed Wt silent
73. lt settings of the CO sysmsg exe program it may also be the case that match patterns log file monitors and other parameters will need to be maintained especially during the initial setup and configuration of the system The Rsmconf exe program permits the user to download and upload the configuration file from a CO sysmsg exe program When uploading changes the new configuration immediately takes affect within the CO sysmsg exe program CorreLog WTS Page 21 without requiring a restart of the service Extensive checks and security features are incorporated into the system as detailed within later sections of this manual Note that the Rsmconf exe program is agreeable to use within batch files so that an administrator can easily apply large numbers of changes to an enterprise Also note that the CorreLog server itself can effect these changes via the web interface These remote configuration features are discussed in more detail within a separate section of this manual Section Summary And Additional Notes 1 The CorreLog Syslog Message Service monitors Windows event logs for changes and sends Syslog messages to the destination host The destination host address which receives messages is configured in the CO sysmsg cnf file which is in the same location as the CO sysmsg exe program by default the directory C CorreLog wintools The CO sysmsg cnf file MUST exist in the above directory and specifies a va
74. m and the configuration file This log file can contain any errors and can contain Syslog messages if so configured The file is overwritten each time the server starts and typically has just a very few lines This log file will not need any maintenance CO sysmsg exe Command Line Arguments The CO sysmsg exe program contains various command line options that allow the program to execute at a command prompt While these command line options are never required it may facilitate certain user operations especially in batch files The various options of the program are as follows CO sysmsg install The install option causes the program to be installed as the CorreLog Syslog Message Service in the Windows Service manager If the service is already installed no action occurs This is normally executed by the CO install exe program but can be executed manually to re install the service CorreLog WTS Page 16 CO sysmsg remove The remove option removes the program from the Windows Service Manager first stopping the service as needed This is normally executed by the CO install exe program but can be executed manually to uninstall the service CO sysmsg start The start option starts the CorreLog Syslog Message Service identical to starting the service via the Windows Service Manager or executing the net start CorreLog Message command If the service is already started this option has no affect CO
75. machine name use the following as the value of the MarkerMessage Hostname COMPUTERNAME Time H M S Note that the COMPUTERNAME value corresponds to an environmental variable including the leading and trailing characters The H M S values without a trailing characters corresponds to the time at the current locale See later section on special log file names for a list of supported time specifications Environmental variables in the marker message are expanded first and each environmental variable must include leading and trailing characters After any environmental variables are expanded time specifications are substituted The user should be aware of possible conflicts should an environmental variable have the exact same name as a time specification Finally note that the MarkerMinutes value indicates an interval since system startup or reconfiguration of the agent and is not a fixed time of day Hence the marker message should not be used to schedule events that need to occur at a particular fixed time such as at noon or midnight Although the marker message can be used to schedule events that occur at periodic intervals the message is not tightly synchronized to the platforms internal clock hence should not be used to drive real time processes or perform time of day scheduling CorreLog WTS Page 33 Log File Monitoring The CO sysmsg exe program in addition to monitoring the Windows Event Logs
76. most all of the information required to understand the essentials of the CorreLog WTS system has now been explained You can begin exploring your enterprise Syslog information right now CorreLog WTS Page 8 Section 2 CorreLog WTS Installation The CorreLog WTS is usually delivered as a self extracting WinZip file and contains install and uninstall programs residing in the wintools directory of the CorreLog root directory The install program normally starts after files are extracted To uninstall the system the operator access the Windows Add Remove programs application and clicks on the CorreLog Framework entry CorreLog WTS is specifically designed not to scatter DLL or other files into system directories All files within the CorreLog directory reside in the CorreLog root directory by default the directory C CorreLog although this directory may be specified differently when extracting files CorreLog is uninstalled via the standard Windows Add Remove programs screen or Program Features screen on Vista platforms Additionally if the user stops a CorreLog Syslog Message service the entire CorreLog directory can be simply dragged and dropped into the Windows Recycle Bin and this will effectively discard the entire installation However note that this will still leave the service entry for CorreLog within the Windows Service Manager which is normally cleaned up by the Uninstall procedure
77. msi The above package can be installed with utilities such as Microsoft SMS or SCOM or via the msiexec utility The basic package requires passing of a command line argument that specifies the destination address as follows Msiexec i c CorreLog s doc wt agent msi dest 10 1 2 3 The above example will install the CorreLog package passing the destination address for syslog messages as 10 1 2 3 The user will typically change the path to the MSI executable and the destination address when executing the above command More information on the MSI package including options to create your own MSI package can be found in Section 7 of this manual Additional Notes The user should refer to the CorreLog Sigma Web Framework Users Manual Section 2 for additional important notes including procedures on how to configure the system to work with IIS how to change the location of the C CorreLog directory and how to rerun the CorreLog Framework Installer in order to accomplish specific objectives For notes on the basic system parameters how to change system logins and how to configure the program scheduler see Section 3 of that document CorreLog WTS Page 13 CorreLog WTS Page 14 Section 3 CorreLog WTS Usage At many sites the entire usage of the CorreLog WTS will consist of installing the program as discussed in the previous section and then rarely if ever visiting that installation again The CorreLog WTS does not r
78. ng 20 Encrypting Data 20 Encryption 31 Encryption Event Message 31 Encryptkey 48 49 50 52 54 56 Environmental 32 Errorseverity 52 54 Event Notes On Log Specifications 29 Event Windows Security Log Severities 84 Event Windows System Log Severities 84 Event Log Specifications 28 Event Message Encryption 31 Eventlog 28 37 73 74 Events 68 Example 62 Examples 19 Exchange 78 Excludekeyword 30 Execute 63 Executing 20 Extensive 22 F Facilities 28 77 Facilities And Severities 77 Facility 77 78 Failure 30 68 84 CorreLog WTS Page 92 False 27 31 52 54 55 Faqs 65 Fast 7 Features 9 46 File 23 24 33 34 36 37 38 51 53 63 64 71 72 75 85 File 74 75 File CO sysmsg Config 23 File Log Monitor Specifications 33 File Other Notes On Log Monitor Specifications 37 File Special Log Names 36 Filters 67 Firewall 50 Firewall Configuration 50 Forge 60 Format 33 36 Framework 9 10 13 48 65 67 Full 36 Functions 55 Future 8 G Gb2312 34 H Help 86 Home 8 10 11 Host 72 Hostname 32 Hour 36 House 62 63 Index 87 Index Alphabetical 87 Info 30 43 81 84 85 Info 60 Info zip 60 Information 43 46 55 77 Information Troubleshooting 55 Information 86 Install 50 62 67 Installation 9 10 12 48 49 50 58 Installation Basic Steps 10 CorreLog WTS Page 93 Installation C
79. nywhere on the network However while it is quite common to have a single CO tsend exe program executing there can be many such programs For example each Windows client may have its own copy of the CO tsend exe program running each directing encrypted messages to the CO trecv exe program on the CorreLog server The CO tsend cnf Configuration File The CO tsend cnf file resides in the same directory as the CO tsend exe program and provides the following directives DestinationAddress This is the address where the CO trecv exe program is listening for messages and will always be the location of the CorreLog server IP address The value is configured by the WTS installation dialog and can be changed thereafter DestinationPort This is the standard TCP port number of 51462 which must agree with the ListenPort directive of the CO trecv cnf file discussed later For the CO tsend exe program to communicate with the CO trecv exe program this port number must be the same for both programs and any intermediate firewall or filtering router must have this TCP port number open There is generally no need to change this value TrapListenPort This is the UDP port number where the CO tsend exe program listens for SNMP traps by default the standard port number of UDP 162 No other program can be listening to this port while the CO tsend exe program executes and this port must be free when the CO tsend exe program starts If any conflict exis
80. o the Event Log monitor directive discussed previously The directive nested within a UseFacility or UseSeverity directive and specifies a single match keyword with possible or wildcards If a new log file entry matches the specified pattern then the related severity or facility is used Multiple patterns can be specified without limit The MatchKeyWord list is ended by any other directive so the MatchKeyWord directives must all be contiguous within a single UseFacility or UseSeverity block Custom Formatter DLL The special Formatter directive documented above extends the range of messages that the log file monitor can read to include binary data or highly unstructured data This option requires a custom DLL to be installed at the agent site The DLL reads data from the log file and provides special formatting The formatting function provided by the DLL is completely arbitrary and may consist of converting binary data to text mapping field values to new values joining lines deduplicating lines or an other arbitrary processing that may be necessary to convert the log data into a syslog message Applications of this DLL include Exchange monitoring custom monitoring of SAP files and monitoring of pseudo binary log files For more information contact CorreLog support CorreLog WTS Page 37 Special Log File Names The LogFile specification permits the user to incorporate a T
81. of the above items is explained in more detail within the pages that follow Refer to the end of this section for a printout of the default CO sysmsg cnf file Destination Address And Port Number Directives The CO sysmsg exe program requires only two directives which must be configured in the CO sysmsg cnf file The initial configuration of these two directives is performed by the installation procedure however the user can modify the values after installation to change the destination of Syslog messages These directives typically appear at the top of the file Only the first occurrence of these directives is read If these directives occur elsewhere in the file these extraneous directives are ignored The following two directives are required CorreLog WTS Page 24 DestinationAddress This directive should be followed by a an IP address which corresponds to the location of the CorreLog Syslog receiver typically the IP address of the CorreLog web server If this value is invalid the CO sysmsg program will not send Syslog messages Destination Port This directive should be an integer number of 514 which is the standard UDP port number used by Syslog Generally this value is provided mainly for reference and cannot be easily changed These directives are required at the very top of the file and cannot be moved to some other section of the file If there are multiple entries the last entry recorded in the file for these parameter
82. og file configuration of agents this particular feature should be used only if the Correlog Server is version 3 5 1 or higher Otherwise this feature is not supported by the remote configuration functions of the main CorreLog Server although other functions will not be affected Other Notes On Log File Monitor Specifications As discussed above each log file has a DefaultFacility and a DefaultSeverity value followed by multiple optional UseFacility and UseSeverity statements Each UseFacility and UseSeverity statement can have multiple MatchKeyWord statements This provides a simple way to configure facilities and severities for any particular message Unlike the EventLog specifications discussed earlier there is auto value available for the DefaultSeverity statement in the Log File Specification This is because unlike the Event Logs there is no obvious severity assigned to arbitrary text strings in a file The operator must define these severities One useful technique to filter out data that is not important is to make the DefaultSeverity for each log file disabled The default severity is applied ONLY if no other severity specification is found In this way only those messages that have assigned severities will be sent as Syslog messages This reduces the load on the Syslog server especially if there exist many thousands of log file monitors The administrator can speci
83. on address The occurrence is also logged in the program error log which resides in the same location as the executable with a log suffix The resulting Syslog message indicates the time of the error and the client IP address This can be used to monitor unauthorized access Additionally successful remote reconfiguration is also logged providing an audit trail of changes to the remote configuration data These messages cannot be disabled Section Summary And Additional Notes 1 The remote configuration capability of the CO sysmsg exe program increases program maintainability by permitting administrators to access modify and upload configuration changes 2 The CO sysmsg exe program authentications remote configuration requests by IP address passkey or both These values cannot be changed by the remote configuration process but must be manually set in the configuration file 3 The user can perform the remote configuration via the CorreLog web interface by first enabling remote configuration on the Device Information screen 4 The user can execute remote configuration via the rsmconf exe program which is a command line utility program that can download upload and check remote configuration data 5 The remote configuration process provides a secure method of accessing and maintaining the remote configurations of multiple CO sysmsg exe programs on the network CorreLog WTS Page 48 Section 6 CO tsend Tunnel Sende
84. on procedure and are not affected by remote configuration operations DestinationAddress 127 0 0 1 DestinationPort 514 Zero to eight alternate IP addresses can be listed below AuxAddress 1 Parameters used for remote configuration of this process via the CorreLog web interface The user can comment these values out to disable remote configuration The ListenAuthMode can take values O No Auth 1 Source Address 2 PassKey 3 Address and Key These values cannot be changed via remote configuration ListenAuthMode 3 ListenPassKey Default ListenPort 55514 HHP PH HEH HPP PRP RP PROPOR OOO OOO OO OH These are optional Consult the Win32 agent user s manual for info MessagePrefix CorreLog MsgDelayMsecs 10 MaxMessageSize 500 LogLocal True EncryptData True MarkerMessage Mark Host COMPUTERNAMES alive MarkerMinutes 20 Deduplicate 3 HHHHHHHHHHHHHHHHHHHHHHHHHHHHH HHO OH OH OH The next section provides an optional list of event logs the default facility for eventlog messages and optional special keywords that change the default facility and severity of messages Each event log has a separate specification Including the three standard Event Logs a maximum of 10 different Event Logs can be specified each with a virtually unlimited number of UseFacility and UseSeverity combinations HHP PH HEH HPP RPP RPP OPO OR OO OO OO HH Ht CorreLog WTS Page 74 The fo
85. or configuration file Note that this directive cannot be used with any MatchKeyword expressions If no LogStatChange directive exists then changes to the file modification times are not monitored If the value of the associated LogFile directive contains an asterisk wildcard all files that match are monitored for changes providing a simple way to monitor changes to a directory of files RequireChangeSecs This optional directive it exists should follow the LogFile directive usually after the MaxSizeChange directive above The value specifies the number of seconds that may pass without the log file changing This directive is useful for monitoring files that are expected to change within a certain period of time such as every 300 seconds If the file does not change in the specified period of time then an IDLE message is generated Note that at least one write must have occurred to the specified log file and the directive does not apply to a log file that has not changed since agent startup DefaultFacility This optional directive may follow the LogFile directive The value specifies a facility name or an official facility number between 0 and 23 which identifies the default facility code used in all messages that are logged to the specified file If this directive is omitted the default facility is assumed to be user DefaultSeverity This optional directive may follow the LogFile directive The value specifies a sever
86. orreLog WTS 9 Installation Checkout 12 Installbat 63 Installer 13 Installing 13 Installlog 63 Interface 43 Interface Remote Config Via CorreLog Web 43 Internal 78 Internals 58 Internet 31 Interoperability 7 Interoperability CorreLog Windows Tool Set 7 Introduction 5 5 Items 24 K Kbytes 66 67 Kernel 78 Keyword 85 L Launch 68 Line 16 18 19 59 Listenauthmode 25 41 42 45 72 Listenpasskey 25 42 72 Listenport 25 42 51 53 72 Local 28 68 Local0 80 Local1 80 Local2 80 Local3 80 Local4 80 Local5 80 Local6 80 Local7 80 Lock 79 Log File Monitor Specifications 33 Loglocal 27 52 54 56 66 69 72 Logname 34 74 75 Logon 68 Logs 33 37 66 68 72 Logstatchange 35 38 CorreLog WTS Page 94 M Mail 78 Manager 9 16 17 48 49 50 55 62 63 Manual 10 13 50 57 72 Mapping 83 Mapping Severity 83 Mark 72 Marker 31 Marker Message 31 Markermessage 27 31 32 72 Markerminutes 27 31 32 72 Matchaddress 52 54 Matchkeyword 24 28 29 30 31 35 36 37 73 74 75 Matchkeywords 38 Maxmessagesize 27 72 Maxsizechange 34 38 74 75 Meaning 78 81 Message Event Encryption 31 Message Marker 31 Messageprefix 26 72 Messages 43 Minute 36 Mode 42 43 Modify 58 Monday 36 Monitoring 33 Monitors 24 Month 36 Msgdelaymsecs 26 69 72 Msiexec 13 61 N Name 37 Names 36 Names
87. ote machine This is the most common problem with the CorreLog WTS since this port number is frequently shut off by many firewalls How do verify that the CO sysmsg exe program is actually running You can run the CO sysmsg exe program at a command prompt using the foreground option to the program You can also check the CO sysmsg log file to see what errors have been encountered during normal execution You can enable the logging of all Syslog messages to this file by setting the LogLocal directive to True in the CO sysmg cnf file These techniques are all useful for assessing what messages are being sent and how the CO sysmsg exe program is running want to use the sendlog exe program but not the CO sysmsg exe program The sendlog exe program is a completely stand alone utility It does not require any special DLL files and does not require the execution of the CO sysmsg exe program Simply copy the sendlog exe program to any location and it will run just fine This is very handy for supporting batch files and scripting applications The program can be easily launched via Perl PHP and many other scripting languages My CO sysmsg exe program appears to ignore the Security or other Windows Event Logs Assuming that you do not have the configuration file completely filtering all messages this situation can occur if the user makes the event log too small and the event log is rapidly being updated
88. r The CO tsend exe CorreLog Tunnel Sender Service is an optionally installed program included with the WTS which will relay messages to the CorreLog system server program using an encrypted reliable TCP channel including possible buffering of this data if a connection cannot be immediately established This type of program is often called a Tunnel since it provides a way to tunnel through firewalls and blocking routers in a highly secure manner The program service is installed as part of the setup dialog but must be manually enabled and configured as described in this section Using this function a network administrator can limit the number of firewall holes to a single point to point connection between the CO tsend exe and the CorreLog program The program also provides additional encryption and reliable TCP connections In order to use the CO tsend exe program the user must also configure the CO trecv exe CorreLog Tunnel Receiver Service program on the main CorreLog server platform This receiver program accepts messages from the CO tsend exe program decrypts and authenticates these messages and relays these messages to the appropriate processes running at the central CorreLog Server The configuration of both the CO tsend exe and CO trecv exe programs are detailed in this section Note that the information herein is NOT REQUIRED to install and use the CO sysmsg exe program but is provided only to support more advanced appli
89. reLog Sigma Web Framework The encryption is a one use pad type encryption with a time based rotating cipher Contact the vendor for enhanced encryption techniques including public key encryption schemes I enabled encryption in the configuration file but I see no change The CorreLog Server is decrypting the messages correctly and the user will not see any change However if the destination for these Syslog messages is some other program such as a Unix syslogd program it will be readily apparent by inspecting the Syslog that the message content is encrypted How do I run multiple copies of CO sysmsg exe Do not install the CO sysmg service Instead use the Use the CO svc exe program which is a regular component of the CorreLog Web Framework Install this service configure the sched cnf file to launch the CO sysmsg foreground program and install the CO sysmsg program in several different directories one directory for each destination This provides the added benefit of providing a separate configuration file for each destination which is flexibility that will probably be needed in any management scenario CorreLog WTS Page 69 How do interface to the Windows Performance Monitor The easiest way to send Syslog messages to monitor performance is to use the Windows performance monitor to send alerts Although it is not commonly known the Windows Performance Monitor contains a very sophisticated alerting facilit
90. rformance problems if overused Notes On Event Log Specifications As shown above each event log has a DefaultFacility followed by multiple optional UseFacility and UseSeverity statements Each UseFacility and UseSeverity statement can have multiple MatchKeyWord statements This provides a simple way to configure facilities and severities for any particular message CorreLog WTS Page 30 If the DefaultSeverity directive is set to auto then the default severity of messages depends upon the Windows Event Log Message Type field as follows e Event Log Error Type Any event log message of this type is by default assigned a Syslog severity of error e Event Log Warning Type Any event log message of this type is by default assigned a Syslog severity of warning e Event Log Info Type A message logged to the System log of this type is assigned a Syslog severity of notice A message logged to any other log is assigned a Syslog severity of info e Event Log Audit Success A message logged to the Security log of this type is assigned a Syslog severity of notice e Event Log Audit Failure A message logged to the Security log of this type is assigned a Syslog severity of error The above default severities can be overridden by the UseSeverity statement discussed above Experience shows that the above mapping will be entirely satis
91. riety of parameters and configuration items detailed in the next section The CO sysmsg exe program which is the program corresponding to the CorreLog Syslog Message Service reads its configuration data only on startup The sendlog exe program is a stand alone executable that permits programmers to send Syslog messages to arbitrary hosts using arbitrary messages severities and facility codes The wsendlog exe program provides a function identical to the sendlog exe program except provides a user friendly user dialog rather than being a command line program Setting the SIGMA_ENCRYPT_DATA environmental variable to any value will cause any data sent by the sendlog exe program to be automatically encrypted This is useful ONLY if the target Syslog receiver is the CorreLog system The CO tsend exe program is the CorreLog Tunnel Sender Service which can be manually installed on one or more Windows platform to provide secure TCP transmissions of Syslog and SNMP trap messages to the CorreLog system The CO tsend exe program is not required for proper operation of CorreLog however may enhance the overall security of a site and handle special firewall and routing issues CorreLog WTS Page 22 Section 4 CO sysmsg Config File The CO sysmsg cnf file contains all the parameters and specifications related to the program s operation This file is found in the same directory as the CO sysmsg exe program by default the
92. rotection against network sniffers However since a single 1024 bit private key is used for all the transmissions this encryption does not protect against man in the middle type attacks or replay attacks This encryption is mainly useful for sending Syslog messages across a public Internet where casual observers might intercept and observe the message content Note that encryption is available only with the DestinationAddress directive Any configured AuxAddress directives will receive unencrypted information and are unaffected by any message encryption settings Marker Message As a special function the agent can be configured to generate a periodic Marker message at a user defined interval such as a marker message each hour To enable this function the configuration file must contain both the MarkerMessage and MarkerMinutes directives and the MarkerMinutes value must be greater than zero CorreLog WTS Page 32 The Marker Message can be used to indicate that the agent is still alive on the network and can provide a heartbeat function for the system The message content defined by the user via the MarkerMessage directive must be under 256 characters and is always send with the syslog clock facility and debug severity The message can contain environmental variable references and date and time specifications For example to send a message once each hour that identifies the local time of the machine and the
93. s is used and the other directives are ignored Remote Configuration Parameters The CO sysmsg exe program supports remote configuration directives by the main CorreLog server or by the rsmconf exe remote configuration utility Following the Destination Address and Destination Port directives are a series of optional parameters to support this function The following three directives are optional ListenAuthMode This directive specifies the authentication mode used when processing remote requests The directive is followed by an integer number between 0 and 3 as follows O No authentication 1 Authentication by source address 2 Authentication by passkey 3 Authentication by both source address and passkey The default value is 3 ListenPassKey This directive is the passkey used with remote configuration when the ListenAuthMode is 2 or 3 The value serves as a simple password The corresponding password in the CorreLog Server is found in the System gt Parameters tab of the web interface ListenPort This directive should be the integer number of 55514 which is the TCP port at which the CO sysmsg exe program listens for remote requests Generally this value is provided mainly for reference and cannot be easily changed If these three directives are commented out or removed from the configuration file then remote configuration is disabled and only manual configuration of the CO sysmsg exe program is permitted CorreLog WTS P
94. sed setup program documented in Section 2 of this manual CorreLog WTS Page 64 Stop the CorreLog Syslog Message Service on the platform using the Windows Service Manager and verify that the CO sysmsg exe program as stopped Optionally make any additional changes to the CO sysmsg cnf file such as adding any special filters or configuration directives to the file Create a batch file that launches the CSetup exe program called INSTALL bat The batch file will contain precisely two lines as follows cd C Program Files CorreLog csetup exe destipaddr gt INSTALL 1log This batch file should reside in the same directory as the CSetup exe program The user should substitute the value of destipaddr for the IP Address of the CorreLog server NOTE This value should be double checked since any mistake in specifying the destination IP address will be difficult to fix after deploying software across the enterprise Execute the Corner House Software msicreate program Drag the entire wintools directory into the Source Path window When finished the Source Path will list all the files within the original wintools directory including the INSTALL bat file created in step 5 above Click on the msicreate Product tab and specify a Title of CorreLog This is required by the Corner House software in order to install into the C Program Files CorreLog destination directory as configured in the above bat
95. seful for detecting security breaches and this value should normally be set to Error or above The authentication message generated by the CO trecv exe program will report the IP address of the CO tsend exe program or other program attempting to send a message to the CO trecv exe program LogLocal This value is set to either True or False If the value is True then all messages sent by the CO trecv exe program are also logged in the CO tsend log file along with any error messages encountered by the program This provides a simple way to verify whether UDP messages are being dropped Note that the CO trecv log file is restarted each time the service is started hence the file does not grow without bounds If this directive is omitted it is interpreted to be False EncryptKey This value is the encryption key used to encrypt message It can contain any alphanumeric characters including spaces but all spaces are ignored The value must agree with the EncryptKey value specified in the CO tsend exe program The value of Default is the initial key configured in both CO tsend exe and CO trecv exe If the value is modified in one location it must be modified in all locations Note that the CO trecv cnf file and CO trecv exe program are not found within the WTS package Rather these two files exist as standard part of the CorreLog server installation within the CorreLog system folder at the m
96. self extracting WinZip file completes the automatic installation procedure starts The installation dialog for the program is depicted below The user must view the license agreement and click the check box in order to proceed to the next screen ah CorreLog Windows Agent Setup Program a A a Ths is progra rreLog Windows Ager nt a n this se iver the Ce A Lop LENE be low i arr ing or the View License ES EET a the ter i a click the checkbox bel SE to pro van the execution of te CORRELOG fa Rte cu En eLag Inc All rights reserve d http www correlog 6 Follow the prompts of the automatic installation procedure A single value is required from the user on the second screen of the dialog which is the hostname or IP address of the machine running the Syslog server normally the CorreLog Server 7 When the installation is complete the CO sysmsg exe program is installed and running On startup this process sends a single Syslog message to the configured destination host Check that host to verify a message was correctly sent and received CorreLog WTS Page 11 The entire installation process will normally take only one minute or so No other steps are needed to install and start the program Installation Checkout The most likely problem with the installation that a user may experience will be that a firewall or port blocker prevents the CO sysmsg exe program from sending Syslog messages across the network
97. sg File 23 Config Remote Via CorreLog Web Interface 43 Configuration 6 7 24 25 26 41 42 43 44 45 50 51 53 72 Configuration Firewall 50 Configuration PassKey 43 Configuration Remote 41 Configuration Remote Parameters 25 Connectivity 10 Corner 62 63 CorreLog Remote Config Via Web Interface 43 CorreLog WTS Installation 9 CorreLog WTS Usage 15 CorreLog Windows Tool Set Interoperability 7 Correlation 5 6 Creating 60 61 Creating Custom MSI Package 61 Creation 62 Critical 81 84 85 Csetup 59 60 Csetupcnf 59 Csetupexe 59 60 62 63 64 Custom 60 61 Custom Creating MSI Package 61 D Data 20 34 55 81 Data Encrypting 20 Database 33 Debug 81 84 85 Deduplicate 28 72 Default 42 48 52 54 72 74 75 Defaultfacility 28 29 30 35 37 73 74 75 Defaultfacilty 35 Defaultseverity 28 29 31 35 37 38 73 74 75 83 Deployment 57 Deployment Automatic 57 Destination 24 25 26 Destination Address And Port Number Directives 24 Destinationaddress 25 31 42 45 49 50 51 56 59 62 72 Destinationport 42 51 52 53 72 Destinations 26 CorreLog WTS Page 91 Detailed 21 23 86 Device 43 46 Devices 60 Directive 48 Directives 24 26 Directives Destination Address And Port Number 24 Disk 10 Dlls 6 Download 10 11 Drag 63 E Editor 43 44 Emergency 81 85 Enable 43 Encoding 34 74 75 Encryptdata 27 31 69 72 Encrypti
98. should contain a single line which is the IP address of destination messages This third alternative permits the Csetup exe program to be executed without any command line options which may be necessary for some deployment software CSetup exe Program Operation The CSetup program requires no user input and can run within a batch file or run by automated installation software The program contains various robust features to handle errors and a variety of different operating systems and environments The CSetup program will first uninstall any existing service and then re install itself This permits the program to be executed again to re install the software The program additionally starts itself once it is installed A brief transcript of activities is displayed to standard output including any errors that the program CorreLog WTS Page 61 encounters Error messages if any are logged to standard output rather than error output making it easy to capture the entire transcript of the program s execution When the CSetup program is finished which typically takes less than 30 seconds the Windows agent program has been installed and started and a startup message has been sent to the destination address This message should appear in the CorreLog server log file as verification that the program was correctly installed and started and the new device should automatically appear in the CorreLog Devices tab Creating A Custom Packag
99. slog receiver which must be listening to port 514 at the address Either an IP address or an official hostname or alias is required as the first argument message The second argument is required and is the message to send to the remote Syslog server The message will require double quote marks if the message contains any spaces The message can be up to 1024 characters long and should generally not contain any strange characters to promote readability of the message by end users The special value of stdin when used as the message causes the Sendlog exe program to read standard input useful for sending files of data to the Syslog server CorreLog WTS Page 18 sevnum The third argument is optional and is the severity number ranging from 0 emergency to 7 debug If this option is not specified then the default severity for sending a message is 7 debug A list of severities is provided at the end of this section facilnum The fourth argument is optional and is the facility number ranging from 0 kernel to 23 local7 If this option is not specified then the default facility for sending a message is 1 user A list of facilities is provided at the end of this section NOTE that if this option is specified the user must also specify a severity number described above Sendlog exe Command Line Examples To illustrate the operation consider the following examples of Sendlog program usage that might be typical in an operat
100. son for making this setting an environmental variable rather than a command line option is that it makes a naive hacker less able to transfer information from the platform using the sendlog exe program Hence setting this environmental variable is a more secure way of enabling encryption The Wsendlog exe Program In addition to the Sendlog utility program the CorreLog WTS provides an alternate Windows based utility named Wsendlog exe which employs a user friendly Windows dialog to send messages The Wsendlog exe utility operates in a fashion identical to the Sendlog exe program It permits the user to specify a destination IP address facility and severity along with a command line for entering the message to send The utility may be useful for testing correlation rules or other features of the CorreLog system CorreLog WTS Page 20 The Wsendlog exe program does not make use of encryption hence will work with any Syslog receiver in addition to CorreLog The program is completely stand alone and does not require any DLL programs or support software It may be copied to any Windows platform and used by itself The CO tsend exe Tunnel Sender Program The CorreLog WTS provides one special utility to support secure TCP tunneling of messages through firewalls and routers The CO tsend exe program is the CorreLog Tunnel Sender Service program and works with the CO trecv exe program of the CorreLog system By default
101. ss and as a standard Windows service The program can be seen in the Windows Service Manager with the name CorreLog Syslog Message Server The program can be started and stopped from that location or can be started and stopped via the net command with the short name CorreLog Message The program is normally configured in the Windows Service Manager to start automatically when the host platform boots Users can verify the program is running by finding the CO sysmsg exe program name in the Windows Task Manager The CO sysmsg exe program monitors the event logs including the Application System Security and other third party event logs When a new event message is found it sends the message with an appropriate facility and severity to the Syslog receiver By default all messages logged by the Windows Event Log facility are relayed to the destination host but the configuration file can modify this behavior The destination address for all messages is configured in the CO sysmsg cnf file which is in the same directory as the CO sysmsg exe program This file MUST exist in that location and is read whenever the CO sysmsg exe program starts A detailed explanation of this configuration file including all directives that can be included in the file is provided in the next section of this manual The CO sysmsg exe program creates the CO sysmsg log file in the same directory as the executable progra
102. sysmsg stop The stop option stops the CorreLog Syslog Message Service identical to ending the service via the Windows Service Manager or executing the net stop CorreLog Message commana If the service is already stopped this option has no affect CO sysmsg mode auto manual disable The mode option must be followed by the keyword auto manual or disable and modifies the CorreLog Syslog Message Service startup mode identical to making this modification via the Windows Service Manager CO sysmsg permit The permit option tests the permissions of the user to access the Windows Service Manager The program displays the status of the permissions either available or not CO sysmsg foreground The foreground option executes the CO sysmg exe program as a foreground process without the service manager In addition to sending Syslog messages to the receiver the program displays any internal error messages or warnings and additionally displays message to standard output CO sysmsg check The check option executes the CO sysmsg exe program checking the configuration file and displaying any error messages The program exits after the checks This option is useful if any changes are made to the configuration data Error messages are always logged to the CO sysmsg log file for later inspection CO sysmsg help The help option displays brief help on the above options
103. tandard utility distributed by Microsoft and should be in the user s path Contact CorreLog support for details on how to acquire this utility The CSetup exe Command Line Setup Program The CorreLog WTS package contains a simple command line setup program CSetup exe which allows the program to be installed via a batch file or via the command line This utility is found in the same directory as the other executable windows programs by default the C correlog wintools directory The CSetup exe program is used by the wt silent exe program described above to perform the silent installation of the agent The program can also be executed directly or can be used in a batch file The program accepts a single argument which is the address of the CorreLog server which receives messages from the Windows Agent For example to install the program and send destination messages to the CorreLog server executing at 192 168 1 1 the following command can be executed after extracting files CSetup exe 192 168 1 1 Rather than specifying the IP address on the command line the address can be specified by the DestinationAddress environmental variable The following command issued in a batch file or at a command prompt is equivalent to the above Set DestinationAddress 192 168 1 1 CSetup exe As a third alternative the user can create a file CSetup cnf in the same directory as the Csetup exe program The CSetup cnf file if it exists
104. tegories are mapped as Notice severities because system events are generally more important than application events Windows System Log Severity Assigned Syslog Severity Critical Critical Error Error Warning Warning Other Notice Windows Security Event Log Severities The table below provides the mapping between the Windows Security event log and syslog messages generated by the agent Unlike the other event logs the Windows security log provides only two classes of messages either Success or Failure The syslog message severity associated with these message types is mapped as show below Windows Security Log Severity Assigned Syslog Severity Success Critical Failure Error Other Debug CorreLog WTS Page 86 Windows Log File Monitor Severities Unlike the windows event logs the log file monitor portion of the agent relies strictly on keywords within the message to establish severities This permits the agent to monitor arbitrary files that may have no specific event information assigned to a message CorreLog uses a heuristic method of establishing severities based upon the content of keywords within the log files as shown below Match Keyword Assigned Syslog Severity emergency or extreme or Emergency danger or hazard alert or attention or caution Alert critical or important or severe or Cr
105. tive if it exists describes the encoding for messages in the file The values can be Western UTF 8 GB2312 Big5 or KR EUC If this directive does not exist or the value of this setting is Default then the device type settings determine the message encoding This switch works only for CorreLog implementations and is not applicable to third party syslog receivers that may receive messages from the agent The setting is mainly useful for those systems where a log file may be written using an encoding scheme that is different from the rest of the encoding used on the platform such as when a UTF 8 encoded file is being written on a GB2312 type system Formatter This optional directive if it exists is an interface to a custom formatter This custom formatter consists of a DLL supplied by CorreLog or some other vendor that is installed at the agent and used to process data to format syslog records If this directive is specified its value can be user01 user02 user03 or user04 based upon information supplied by CorreLog and or the DLL designer See additional notes below MaxSizeChange This optional directive if it exists must follow the LogFile directive It is an integer size in bytes If the file increases by this amount of bytes or more during a single 500 msec interval it will trigger a special message indicating that the file has increased rapidly in size If this value is not furnished the value of 10 00
106. ts The following directives are supported LogFile This directive indicates the pathname to a streaming text log file on the system The user can specify the pathname as a relative pathname with respect to the location of the CO sysmsg exe program or absolute pathname using either forward or backward slashes All the directives that follow until the next LogFile directive apply to the specified log file This directive can contain Time Format values such as y Yom Yd to respectively match the two digit year two digit month or the two digit day For example the file specification C windows logfiles f y m d log can be used to monitor a file with a name such as f 091231 log Additionally the root filename can contain a wildcard to match the file that was most recently modified For example the file specification C windows logfiles log matches the file in the logfiles directory that was most recently modified CorreLog WTS Page 34 LogName This optional directive if it exists must follow LogFile directive It is the name of the log file or subsystem that is displayed in the Syslog message If this value is not provided the event message is not identified with the log file other than in the message content The value can be any arbitrary text string It is commonly punctuated with a trailing semicolon supplied by the user such as Oracle Data or HTTP Log File Encoding This optional direc
107. ts a message is logged in the CO tsend log file CorreLog WTS Page 53 found in the same directory as the CO tsend exe program There is generally no need to change this value SyslogListenPort This is the UDP port number where the CO tsend exe program listens for Syslog messages by default the standard port number of UDP 514 No other program can be listening to this port while the CO tsend exe program executes and this port must be free when the CO tsend exe program starts If any conflict exists a message is logged in the CO tsend log file found in the same directory as the CO tsend exe program There is generally no need to change this value MatchAddress This directive is an IP address or wildcard in the form which can limit the devices that can send messages to the CO tsend exe program The user can leave the default value to match all IP addresses or specify a subnet such as 10 30 or 10 15 8 or can specify a precise IP address This provides extra security by limiting the range of devices that can access the TCP tunnel ErrorSeverity This directive indicates the severity of any Syslog message generated by the program If the CO tsend exe program encounters an error it attempts to send an unencrypted UDP message to the CorreLog server running at the DestinationPort IP address The value can be set to disabled to prevent any Syslog messages All errors are also logged in the CO tsend log
108. tting for the CO sysmsg exe program The values of DestinationAddress DestinationPort ListenAuthMode ListenPassKey and ListenPort cannot be change by the remote configuration process Each of these values can be changed only by manually editing the CO CorreLog WTS Page 44 sysmsg exe configuration file Attempts to modify any of these values are silently bypassed This enhances security by ensuring that these values can be changed only by remotely logging into the host platform with an administrative login editing the configuration file manually and then restarting the CO sysmsg exe program PassKey Configuration In some circumstances the best or only type of authentication available will be with Auth Mode 2 which is passkey authentication In particular using a passkey as the sole authentication will be necessary on networks that are using NAT Network Address Translation or if the CorreLog server is multi homed or if tunneling software is being used In these cases the destination address for Syslog messages may not be the same as the location of remote configuration requests making the use of Auth Mode 1 or Auth Mode 3 difficult or impossible The passkey is simply a text string of 40 characters or less The value is case sensitive but can contain any printable characters including spaces The value is passed as an argument to the rsmconf exe program discussed below and also is configured in the CorreLo
109. uch as UseSeverity disabled or UseSeverity 1 and then follow this directive with a series of MatchKeyWord values any of which will exclude a message from the event log regardless if a match is found elsewhere in the event log specification The disabled keyword can be used only in the configuration file is given a rank of 1 below emergency 0 and is taken as the highest severity of the system If the DefaultSeverity value is set to disabled then a message must specifically match one of the MatchKeyWord values for it to be sent This is a way of sending messages by exception useful for targeting only those messages of interest on the system By default the Security log uses this technique to reduce the number of security messages sent to the CorreLog server Event Message Encryption As a special facility the CO sysmsg exe program encrypts messages sent to the CorreLog Server system The administrator edits the EncryptData directive and sets the value to False in order to disable this function The encryption prevents casual snooping of the data by using a block rotating time based cipher that is built into both the CorreLog Server and the CO sysmsg exe program There will be no apparent change to the data displayed However if the destination address is made some other Syslog server it will be apparent that the data is actually encrypted The encryption provides a fair degree of p
110. uires various permissions and adaptations described in this section Specifically remote configuration capability is limited by the value of the ListenAuthMode directive within CO sysmsg cnf file which controls and limits remote request via the source address of the client or via passkey or both The default ListenAuthMode setting is 3 which requires both a valid passkey and also the client to be at the same IP address as the destination address Remote configuration capabilities of the CO sysmsg exe program permit a high degree of flexibility security and maintainability of this program This section will be of interest to system installers administrators and operations personnel CorreLog WTS Page 43 Authentication Of Remote Configuration Requests The CO sysmsg exe program listens for remote configuration requests at TCP port 55514 This port number is included in the configuration file for the program but cannot be easily changed If this port is busy when the CO sysmsg exe program starts or if the ListenPort directive is commented out of the file then no remote configuration is possible and this particular capability of the CO sysmsg exe program is disabled Three different modes of operation are possible as determined by the ListenAuthMode setting of the configuration file Auth Mode 0 Setting the ListenAuthMode to a value of 0 disables authentication of requests This value should probably never be used ex
111. value is set to either True or False If the value is True then all Syslog messages sent by the CO sysmsg exe program are also logged in the CO sysmsg log file along with any error messages encountered by the program This provides a simple way to verify whether UDP messages are being dropped Note that the CO sysmsg log file is restarted each time the service is started hence the file does not grow without bounds If this directive is omitted it is interpreted to be False EncryptData This value is set to either True or False If the value is True then the message data is encrypted before it is transmitted which is the default This setting will make the CO sysmsg exe program usable ONLY with the CorreLog Server The program WILL NOT operate with any other Syslog server if this value is set to True If this directive is omitted it is interpreted to be False See later notes in this section for more details MarkerMessage This value is the content of a syslog message that is issued periodically to the receiving program useful for generating a heartbeat The value is ignored unless the value of MarkerMinutes described below is set to a positive integer value The message must be under 256 characters and can contain static text environmental variables delimited by characters and or a date and time specification By default no periodic syslog message is sent This directi
112. ve should be used only with CorreLog Version 3 5 1 or higher MarkerMinutes This value is an integer number ranging from 1 to 65535 minutes indicating how fast the MarkerMessage heartbeat is sent if any A value of zero or less disables the marker message the default condition In order to send a marker message this directive must exist in the configuration file and the value must be a positive integer value and the MarkerMessage must be defined By default no periodic syslog CorreLog WTS Page 27 message is sent Remote configuration of this directive requires CorreLog Version 3 5 1 or higher See later notes in this section for more details Deduplicate This value is an integer number ranging from 0 to 5 seconds indicating the deduplication seconds applied to messages generated by the agent If this value does not exist the agent will deduplicate messages that occur within 3 seconds The user can turn off the deduplication filter by setting this value to zero or increase the value to 5 seconds MessageFormat This value is a phrase or keyword flag that can be used to control the message format of all messages output by the agent program Specific values include normal or LEEF but other values may exist to support special message formats that may be required Contact support for other values and variants The MessageFormat directive is usually omitted from the configuration file Event Log Specifications Fol
113. vriaht 2008 2014 CorreLoa Inc All riahts reserved As shown above the user makes changes to the remote configuration can check the information or upload the information back to the remotely executing CO sysmsg exe program Clicking the Upload button automatically initiates a check of the data The data cannot be uploaded if any errors are encountered The user can also manually check the data before uploading via the Check button CorreLog WTS Page 46 Note that it is possible to download the CO sysmsg cnf file from one platform and upload the file to another platform affording a simple method of copying the configuration of one CO sysmsg cnf to another The user simply changes the target IP address to be that of the receiving platform before clicking the Upload button The specified platform must be executing the CO sysmsg exe program and must be configured to permit remote configuration Remote Configuration Via The Rsmconf exe Utility An alternative to remotely configuring the CO sysmsg exe program via the CorreLog web interface is to use the rsmconf exe program which is included both in the main CorreLog server within the system directory and also the CorreLog WTS software within the wintools directory This utility permits the user to perform remote configuration at a command line possibly within a batch file The rsmconf exe program accepts the following command line arguments rsmconf down
114. with match patterns that filter and set the severities and facilities associated with Event Log messages 4 The file has an additional section which does not require or interact with the event log monitors that allows the user to specify up to 10 different streaming log files to be monitored This works independent of the event log monitor and is extremely useful for instrumenting arbitrary system log files such as those associated with Oracle and Apache 5 Log file paths used by the log file monitor can be dynamically derived to contain dates and times using standard time specifications incorporated as part of the pathname 6 Log file paths used by the log file monitor can contain wildcards either an asterisk to match multiple characters or a question mark to match a single character In this case the file that matches the wildcard and which has been most recently modified on the system is used as the operant file 7 The agent can contain a marker function that permits a heartbeat type indication to be sent at periodic intervals This heartbeat can be used to schedule periodic activities but cannot be coordinated to a particular time of day such as midnight or noon 8 The agent can send data to multiple IP Addresses using the AuxAddress directive Zero to eight auxiliary addresses can be defined These addresses are not authorized to remotely reconfigure the agent and CorreLog WTS Page 40 cannot be encr
115. y This permits the CorreLog Security Correlation Server to effectively manage Windows platforms in addition to managing Unix platforms routers and mainframe computers The CorreLog WTS is very lightweight and easy to install The program should be installed on each Windows platform of interest in an organization or enterprise If you are unfamiliar with Syslog protocol as a management technique refer to the CorreLog User Reference manual which contains a comprehensive description of Syslog functionality If you wish to get started immediately with the installation of the CorreLog WTS see notes at the bottom of this current section This manual should be of interest to network managers and administrators responsible for installing and maintaining CorreLog This manual will also be useful to any developers who are interested in using this software as a basis for larger enterprise management strategies CorreLog WTS Page 5 CorreLog Windows Tool Set WTS Overview The CorreLog Syslog Windows Tool Set WTS is a collection of executables and files that add Syslog capability to Windows platforms In particular this tool set includes a non intrusive Windows Agent program that relays Syslog messages to a Syslog receiver permitting easy integration of the CorreLog Security Correlation Server with Microsoft Windows platforms Note that with no special software installation the CorreLog system works with Unix platforms Routers and var
116. y which permits event log messages of arbitrary text content to be generated whenever a performance counter is at a limit The event log messages are subsequently converted into to Syslog messages which arrive at the Syslog receiver As an alternative the user can actually launch external programs when Windows Performance Alerts occur In this case the user can configure the Performance Monitor to execute the sendlog program passing as the Syslog message the counter name counter values and other items of interest This is all available via the Admin Tools gt Performance gt Performance Logs And Alerts screen which is a standard part of the Windows system How do detect when a user logs on or off the system This usually requires no modifications to the system However it may be that the Windows Audit policies in the Local Security Settings screen of the Windows Control Panel gt Administrative Tools screen have not been enabled Launch this standard windows tool drill down into the Security Settings gt Local Policy gt Audit Policy settings and make sure that the Audit Logon Events settings are set to send event messages on both Success and Failure type events I am generating a lot of messages that say No data available What does that mean This message is actually a briefer message that is logged in the event log whenever the registry does not contain an event log key This is probably the result of
117. ypted but otherwise serve as destinations for all syslog messages generated by the program The best way to learn about the configuration items is to experiment with the file adding directives and then possibly running the CO sysmsg exe program in foreground using the foreground option With this technique a user can quickly target specific messages on the system To check the configuration file without executing the CO sysmsg exe program use the CO sysmsg check option CorreLog WTS Page 41 CorreLog WTS Page 42 Section 5 Remote Configuration The behavior and operation of the CO sysmsg exe program is completely driven by its single configuration file residing in the same directory as the program with a cnf suffix This configuration file does not necessarily have to be modified or adapted for the enterprise However depending on the organizational requirements it may be necessary to make changes to this file in order to receive particular messages of interest The user can manually edit this file and restart the CO sysmsg exe program via the Windows CorreLog Syslog Message Service entry of the service manager This requires administrative access to the Windows platform that is hosting the CO sysmsg exe program and is the most secure way of implementing this service As a special facility configuration files can also be remotely downloaded and uploaded to effect changes in an automated way This req
Download Pdf Manuals
Related Search